Managing updates to local cached credentials for remote users in a hybrid Active Directory environment

Among the many issues remote users face, forgotten passwords can be a significant roadblock to productivity, as they require help from an administrator. When a user logs on to an Active Directory (AD) domain, Windows securely caches the domain credentials and stores them locally on the user’s machine. This lets a user, especially one who is often traveling or working off-site, log on to their machine when they aren’t connected to the corporate network.

However, when a remote user forgets their password there’s no way they can reset it. Even if the remote user were to use a third-party solution to reset the password while they’re disconnected from the corporate network, they won’t be able to communicate with a domain controller. As a result, the new domain password and the cached credentials won’t match, and the user won’t be able to log on to their machine until they’re reconnected to the AD network.

Computers in hybrid AD environments can authenticate either through Azure AD or on-premises AD. Azure AD users can utilize the self-service password reset (SSPR) feature provided by Microsoft to reset their forgotten passwords. Using the password writeback feature in AD Connect allows password changes in the cloud to be written back to the existing on-premises AD. However, these options do not update the locally cached password until the computer is connected to the on-premises AD, meaning the remote user still won’t be able to log in.

ADSelfService Plus is an alternative solution that helps remote users by automatically updating the cached credentials immediately after they reset their AD passwords. All that’s required is a virtual private network (VPN) client on the user’s machine to establish a connection with the AD domain. For example, see Figure 1 below.

active directory password reset

Figure 1. Updating Windows cached credentials using ADSelfService Plus.

By letting users self-reset their forgotten passwords from the Windows login screen, ADSelfService Plus triggers the VPN on the user’s laptop, establishes a secure connection with the domain controller, and updates the cached password, as shown in Figure 2. This allows remote users to log on to their machines using their new passwords, reducing password-related help desk calls and computer downtime.


Figure 2. How cached credentials are updated for remote users.

With ADSelfService Plus, organizations can let remote users reset their own passwords as well as update their locally cached credentials right from the login screen; so they can log on and work, even if they’re away from the corporate network.

Try ADSelfService Plus in your environment today.

** Optrics Inc. is an Authorized ManageEngine partner

The original article can be found here:

Leave a Reply