Windows domain credentials caching

The storage of plaintext credentials in memory cannot be disabled, even if the credential providers that require them are disabled. The stored credentials are directly associated with the LSASS logon sessions that have been started since the last restart and have not been closed. Some of these secrets are credentials that must persist after reboot, and they are stored in encrypted form on the hard disk drive.

Credentials stored as LSA secrets might include:. The two types of domain controllers in AD DS that manage credentials differently are:. Read-only Read-only domain controllers RODCs house a partial local replica with credentials for a select subset of the accounts in the domain.

By default, RODCs do not have a copy of privileged domain accounts. The database stores a number of attributes for each account, which includes user names types and the following:. NT hash values are also retained in AD DS for previous passwords to enforce password history during password change operations.

The number of password history NT hash values retained is equal to the number of passwords configured in the password history enforcement policy. LM hashes may also be stored in the AD DS database depending on the domain controller operating system version, configuration settings, and password change frequency.

Users may choose to save passwords in Windows by using an application or through the Credential Manager Control Panel applet. Any program running as that user will be able to access credentials in this store.

Explicit creation When users enter a user name and password for a target computer or domain, that information is stored and used when the users attempt to log on to an appropriate computer. If no stored information is available and users supply a user name and password, they can save the information. If the user decides to save the information, Credential Manager receives and stores it. System population When the operating system attempts to connect to a new computer on the network, it supplies the current user name and password to the computer.

If this is not sufficient to provide access, Credential Manager attempts to supply the necessary user name and password. All stored user names and passwords are examined, from most specific to least specific as appropriate to the resource, and the connection is attempted in the order of those user names and passwords. Because user names and passwords are read and applied in order, from most to least specific, no more than one user name and password can be stored for each individual target or domain.

Credential Manager uses the Credential Locker, formerly known as Windows Vault, for secure storage of user names and passwords. Passwords Technical Overview. This happens every time when users log in. However, a read-only domain controller can be configured to cache user passwords using Password Replication Policy PRP. During subsequent logins, users are directly authenticated from read-only DC. This can also help when a read-only DC is configured at the data center of the main branch and then shipped to the branch office.

In this article, I'll show you how to configure credential caching on read-only domain controller Windows Server Step 1. Open server manager dashboard. Resources for IT Professionals. Sign in. United States English. Ask a question. Quick access. Search related threads. Remove From My Forums. Asked by:. Archived Forums. Windows Server General Forum.

Sign in to vote.