Pricing  Get Quote
 
 

Cached Credentials

Active Directory cached credentials update using ADSelfService Plus

Start a free trial

Updating Windows cached credentials

Remote users often struggle to reset expiring passwords and update their machine's outdated credential cache because they lack a connection to Active Directory. And in instances when they lose machine access due to an expired password, they are unable to reach out to the help desk for assistance and experience decreased productivity.

ADSelfService Plus, an identity security solution with adaptive MFA, SSO, and password management capabilities, enables users to securely reset their Active Directory passwords even when they have no connection to Active Directory. It automatically updates the cached domain credentials on their Windows machines remotely using a VPN client. Cached credentials can also be updated without a VPN when an organization does not have VPN infrastructure or uses a VPN vendor not supported by ADSelfService Plus.

What are Active Directory cached credentials?

When a user logs in to an Active Directory domain for the first time, the login credentials are cached locally on their machine. These cached credentials are updated each time the machine is connected to Active Directory, i.e., to the corporate network, during login. When a remote user who is not connected to the corporate network logs in to their machine, their login information is verified locally against the cached credentials stored on their machine. If the verification succeeds, they can access the machine. In short, cached credentials allow users to log in to their machines even when they have no way of reaching the Active Directory domain controller for authentication.

Can cached credentials cause account lockouts?

A significant issue faced by remote users is a mismatch caused by outdated cached credentials that blocks them from accessing their machine. Mismatches in cached credentials are likely to occur when users utilize more than one device for work. Let us consider an employee working in the hybrid model using two different devices—a desktop device at the office and a laptop at home. Say the employee recently changed their Active Directory password while working from the office on their domain-connected desktop device. Their laptop's cached credentials would still contain the old password since the device does not have a connection to the corporate network for an update. Forgetting this, the employee may try to log in with their new password on their laptop while working remotely, and they may get locked out after multiple attempts.

Alternatively, let us assume that after a couple of attempts, the employee realizes that their laptop still has the old password cached and continues to use it during login. However, in an unlikely circumstance, if the employee happens to bring their laptop to the office, it gets connected to the corporate network, and the cached credentials get updated without their knowledge. The employee now might habitually enter their old password during login and get locked out after multiple attempts.

How to update Windows cached credentials without connecting to a domain controller

After every password reset or change, ADSelfService Plus provides a cached credentials update for remote users either using a VPN client or without using a VPN client. It comes bundled with a GINA/Credential Provider client, also known as the Windows login agent, that allows remote users to perform a secure self-service password reset right from their login screens and forcefully updates their Windows machine's cached credentials afterwards.

How the Windows cached credentials update works in ADSelfService Plus

Using a VPN client

Here's how ADSelfService Plus' cached credentials update via VPN works for remote Windows users.

  • When a remote user forgets their Active Directory password, they use ADSelfService Plus’ login agent to reset their password from their login screen.
  • After users verify their identity through MFA and reset their password, ADSelfService Plus updates Active Directory with the new password.
  • The new password is also sent to the login agent on the user's machine.
  • The login agent automatically establishes a secure connection with Active Directory through VPN and initiates a request for updating the locally cached credentials.
  • Once the request is successfully approved by Active Directory, the cached credentials on the user's machine are automatically updated.

Without using a VPN client

Here's how ADSelfService Plus' cached credentials update works for remote Windows users without using a VPN.

  • When a remote user forgets their Active Directory password, they use ADSelfService Plus’ login agent to reset their password from their login screen.
  • After users verify their identity through MFA and reset their password, ADSelfService Plus updates Active Directory with the new password.
  • Once the new password is updated in Active Directory, the login agent automatically updates the local cache on users' machines with the new password.

Windows versions that support cached credentials update using ADSelfService Plus

Windows server versions: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008

Windows client versions: Windows 11, Windows 10, Windows 8.1, Windows 8, Windows 7, and Windows Vista

VPN providers that ADSelfService Plus supports for Windows cached credentials update

  • Fortinet
  • Cisco IPSec
  • Cisco AnyConnect
  • Windows Native VPN
  • SonicWall NetExtender
  • Checkpoint EndPoint Connect
  • SonicWall Global VPN
  • OpenVPN
  • Custom VPN

Benefits of updating Windows cached credentials using ADSelfService Plus

  •  

    Reduce password reset calls

    Empower remote users with self-service password reset and cached credentials update features, and limit password-related help desk tickets.

  •  

    Improve employee productivity

    Give remote users the ability to regain access to their machines quickly even if they forget their passwords, which helps avoid any major business interruptions.

  •  

    Reduce costs

    Resetting passwords through help desk assistance and connecting machines to the corporate network for a cached credentials update are both time-consuming and expensive processes, which can be easily eliminated using ADSelfService Plus.

Empower remote users to reset passwords and
update Active Directory cached credentials

Download now  

ADSelfService Plus also supports

  •  

    Adaptive MFA

    Enable context-based MFA with 19 different authentication factors for endpoint and application logins.

    Learn more  
  •  

    Enterprise single sign-on

    Allow users to access all enterprise applications with a single, secure authentication flow.

    Learn more  
  •  

    Remote work enablement

    Enhance remote work with cached credential updates, secure logins, and mobile password management.

    Learn more  
  •  

    Powerful integrations

    Establish an efficient and secure IT environment through integration with SIEM, ITSM, and IAM tools.

    Learn more  
  •  

    Enterprise self-service

    Delegate profile updates and group subscriptions to end users and monitor these self-service actions with approval workflows.

    Learn more  
  •  

    Zero Trust

    Create a Zero Trust environment with advanced identity verification techniques and render your networks impenetrable to threats.

    Learn more  
feature-banner

ADSelfService Plus trusted by