how to cache credentials on Windows

Solution 1:

The answer: No.

As Schroeder mentions in his comment, the way this is to be done is to require staff to log into the computer while it is still connected in the office.

There is a setting that can be configured in Group Policy that tells a computer how many credentials it can recall, which allows a staffmember or two or three to login to a computer in the office and then take the computer out of the office and still be able to log in, but even this has its limits.

The problem with what you're asking for is that you would essentially be asking the computer to retain a copy of authentication for all of the user accounts on a domain, and to ask for any updated information about this user accounts such as changed passwords or names or permissions, whenever it does change.

First this is impractical because the laptops would have to be connected to the domain anyways to get this information and why doesn't the borrowing user just log in before they leave anyway, and second it is highly insecure.

If a computer remembering one account's information leaves the office and is stolen, you reset the information on that one account. But if you have ALL of the information for ALL of the domain accounts on that laptop, you have trouble, spelled with a capital "T".

As part of your new role you also are the enforcer, and the rules have to be, both for the safety of the company information, and for your sanity, that staff MUST log into the computer BEFORE they leave the office or they are out of luck.

Their forgetting what they have been told is no reason for you to have to panic. They are not two year olds. They are adults who can understand and follow instructions. I assume.

UPDATE: Suggested Process & Magic Workaround

Suggested Process

Option 1: Keep all the loaner laptops secured in your office, at your tech desk, etc. When people come to check them out from you have them login to them before they leave. Bonus benefit: You know the laptop is working.

Option 2: Give the CEO a laptop of their own for their only computer. Then they're already logged in.

Magic Workaround

Don't just give this one away. Keep it for those times you really need a bacon saved or brownie points banked and use it only sparingly.

Set up a VPN connection of some sort, and then configure a VERY limited local account on all the laptops that ONLY connects to an available internet connection and triggers the VPN connection.

You can do this in such a way that not even the taskbar or desktop icons show up in this limited account

Once the VPN is connected have the remote user who could not be bothered to follow instructions press CTRL-ALT-DEL and select Change Password. In this dialog you can change passwords BESIDES the logged in account simply by entering the domain\username of the account you wish to cache. Once the user has changed the password for their own account on this computer, the accounts credentials will then be cached, and they'll be able to log in normally.

There's still a little punishment because they had to change their password, but that should hopefully serve as reminder to do things the right way next time.