Cached Credentials - AD Group Memberships




We currently have the following feature configured in our production
* Interactive logon: Number of previous logons to cache - 5

The setting listed above is configured via a gpo and is being applied to all
corporate computers.

Online - When logged on to the network and runs "gpresult /v", you can see
all the AD groups that particular user is a member of (About 9 groups)

Offline - When a user logs on to a machine and runs "gpresult /v", you only
see default groups that particular user is a member of:
- Everyone
- Builtin\Users
- NT AUTHORITY\Authenticated Users
- Local

* If the cached option is enabled, why is the user not retaining a copy of
their AD group memberships when logging on to a machine (offline) using their
cached credentials?

I was under the impression that the cached option caches (or takes a
snapshot) of the user's AD group membership list.

Thank you all in advance!


Steve Riley [MSFT]

The cached credential is not a complete Kerberos ticket or Winlogon token.
Instead, it is only a "password verifier," that is, a hash of your password
hash salted with your user ID:

PasswordVerifier = Hash( Hash( Password ) + UserID )

This is not enough information to redisplay group membership details when
you're disconnected from the domain. When disconnected, there's no need to
know group membership anyway since you aren't accessing resources controlled
by ACLs.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question