Cached Credentials - AD Group Memberships

[Guest]

All:

We currently have the following feature configured in our production
environment:
* Interactive logon: Number of previous logons to cache - 5

The setting listed above is configured via a gpo and is being applied to all
corporate computers.

Issue
Online - When logged on to the network and runs "gpresult /v", you can see
all the AD groups that particular user is a member of (About 9 groups)

Offline - When a user logs on to a machine and runs "gpresult /v", you only
see default groups that particular user is a member of:
- Everyone
- Builtin\Users
- NT AUTHORITY\INTERACTIVE
- NT AUTHORITY\Authenticated Users
- Local

Question
* If the cached option is enabled, why is the user not retaining a copy of
their AD group memberships when logging on to a machine (offline) using their
cached credentials?

I was under the impression that the cached option caches (or takes a
snapshot) of the user's AD group membership list.

Thank you all in advance!

thrillerIT

 

[Steven L Umbach]

I think what is happening is that gpresult is not showing the domain
membership if it can not query a domain controller. Try using whoami /groups
which may be better in showing the contents of the user security token. If
you do not have whoami it is part of the support tools that can be
downloaded at the link below.

Steve

http://www.microsoft.com/downloads/...76-9bb9-4126-9761-ba8011fabf38&displaylang=en

 

[Steve Riley [MSFT]]

The cached credential is not a complete Kerberos ticket or Winlogon token.
Instead, it is only a "password verifier," that is, a hash of your password
hash salted with your user ID:

PasswordVerifier = Hash( Hash( Password ) + UserID )

This is not enough information to redisplay group membership details when
you're disconnected from the domain. When disconnected, there's no need to
know group membership anyway since you aren't accessing resources controlled
by ACLs.