Windows xp domain password cache

Alex Zhao. TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb microsoft. I just wanted to say Hi! Did the information provided solve your query? Please do not hesitate to let me know if you have any further concerns or questions regarding the issue.

Office Office Exchange Server. Not an IT pro? Windows Client. Sign in. The SAM database stores information on each account, including the user name and the NT password hash. No password is ever stored in a SAM database—only the password hashes. This means that if two accounts use an identical password, they will also have an identical NT password hash. This allows users to seamlessly access network resources, such as file shares, Exchange Server mailboxes, and SharePoint sites, without re-entering their credentials for each remote service.

If the user logs on to Windows by using a smart card, LSASS will not store a plaintext password, but it will store the corresponding NT hash value for the account and the plaintext PIN for the smart card. If the account attribute is enabled for a smart card that is required for interactive logon, a random NT hash value is automatically generated for the account instead of the original password hash.

The password hash that is automatically generated when the attribute is set does not change. If a user logs on to Windows with a password that is compatible with LM hashes, this authenticator will be present in memory. The storage of plaintext credentials in memory cannot be disabled, even if the credential providers that require them are disabled. The stored credentials are directly associated with the LSASS logon sessions that have been started since the last restart and have not been closed.

Some of these secrets are credentials that must persist after reboot, and they are stored in encrypted form on the hard disk drive. Credentials stored as LSA secrets might include:. The two types of domain controllers in AD DS that manage credentials differently are:. Read-only Read-only domain controllers RODCs house a partial local replica with credentials for a select subset of the accounts in the domain.

By default, RODCs do not have a copy of privileged domain accounts. The database stores a number of attributes for each account, which includes user names types and the following:. NT hash values are also retained in AD DS for previous passwords to enforce password history during password change operations. The number of password history NT hash values retained is equal to the number of passwords configured in the password history enforcement policy.

LM hashes may also be stored in the AD DS database depending on the domain controller operating system version, configuration settings, and password change frequency. Users may choose to save passwords in Windows by using an application or through the Credential Manager Control Panel applet. Any program running as that user will be able to access credentials in this store. Explicit creation When users enter a user name and password for a target computer or domain, that information is stored and used when the users attempt to log on to an appropriate computer.

Using GPO, you can display a notification of using cached credentials to log on. It depends on the length and complexity of the password. If a password is complicated , it takes a huge amount of time to brute the password. So it is not recommended to use caching for users with local administrator permissions or, moreover, domain admin account.

To mitigate security risks, you can disable credential caching on office and administrator computers. It is recommended to reduce the number of cached accounts on mobile devices to 1.

It means that even if an administrator has logged on to a computer and their data have been cached, the password hash of the administrator will be overwritten after the device owner logs on. For AD domains with functional level Windows Server R2 or newer, you can add domain administrator accounts to the Protected Users group. Local credential caching is prohibited for this security group. Such policies will reduce the chance of getting privileged user hashes from domain joined devices.

Notify me of followup comments via e-mail. You can also subscribe without commenting. Leave this field empty.