Cached credentials in ActiveDirectory and setting up machines

active-directory

Solution 1:

I'm not aware of a way to push cached credentials out, and that would mean the word "cached" was poorly chosen, if such a way existed.

What about putting LogMeIn or any other remote control software on each computer before it goes out the door and having each user remotely log on to their machine before you send it out?

In my experience, the best way to do this is to not join the remote machines to the domain, but instead make a local user account and a local admin account on each machine. IT documents the local admin password and gives the user the local user password. This scenario works best with VDI and/or cloud services. Another workaround is to ship out preconfigured hardware VPN endpoints with each computer so each computer is basically on the LAN when the user logs on.

One big issue with caching credentials on 100% remote computers is if you have any password expiration policy (which you should), it can become virtually impossible to keep the cached credentials synced with the current ones, after the first expiration comes around. Best case scenario is end-user confusion, worst is inability to authenticate.

Related

Wildcards in Nagios hostgroup_name exclusions
pg_dump compression; Server or Client side
File permissions issue on OS X El Capitan and SMB share
is there a way to flush a whole zone's rich rules on firewalld?
On a puppet node, how do I see a list of resources?
How can I output logs to a file from the content of a service with systemd
How to index and search files within a shared folder using Windows Server 2012 R2 and Windows 10?
Active Directory replication target principal name incorrect
Error with gunzip during logrotate
What does "shared mode" really mean on a ninth-generation and later Dell server DRAC?
Azure Web App Port Mapping/Forwarding
Should i use Firewalld or Iptables for Fail2ban in Centos 7?