Bdtyktl

I am a programmer and finance guy who is reluctantly in charge of IT, among any other more appropriate departments, at our eight person firm. I'm very new to IT, so please bear with me and assume I know very little.

We have a limited number of shared/vacation laptops that trade hands a lot. Despite my guidance, employees take off with a laptop that doesn't have their credentials cached so they can't login. (I try to get them to login before they head out!)

How can I cache all of the credentials to each of the traveling laptops? And is this wise? Suggestions welcome for alternative (free) solutions that solve this in a different way.

Laptop: Windows 7 without local admin rights,
Server: Windows 2008 R2

The answer: No.

As Schroeder mentions in his comment, the way this is to be done is to require staff to log into the computer while it is still connected in the office.

There is a setting that can be configured in Group Policy that tells a computer how many credentials it can recall, which allows a staffmember or two or three to login to a computer in the office and then take the computer out of the office and still be able to log in, but even this has its limits.

The problem with what you're asking for is that you would essentially be asking the computer to retain a copy of authentication for all of the user accounts on a domain, and to ask for any updated information about this user accounts such as changed passwords or names or permissions, whenever it does change.

First this is impractical because the laptops would have to be connected to the domain anyways to get this information and why doesn't the borrowing user just log in before they leave anyway, and second it is highly insecure.

If a computer remembering one account's information leaves the office and is stolen, you reset the information on that one account. But if you have ALL of the information for ALL of the domain accounts on that laptop, you have trouble, spelled with a capital "T".

As part of your new role you also are the enforcer, and the rules have to be, both for the safety of the company information, and for your sanity, that staff MUST log into the computer BEFORE they leave the office or they are out of luck.

Their forgetting what they have been told is no reason for you to have to panic. They are not two year olds. They are adults who can understand and follow instructions. I assume.

UPDATE: Suggested Process & Magic Workaround

Suggested Process

Option 1: Keep all the loaner laptops secured in your office, at your tech desk, etc. When people come to check them out from you have them login to them before they leave. Bonus benefit: You know the laptop is working.

Option 2: Give the CEO a laptop of their own for their only computer. Then they're already logged in.

Magic Workaround

Don't just give this one away. Keep it for those times you really need a bacon saved or brownie points banked and use it only sparingly.

Set up a VPN connection of some sort, and then configure a VERY limited local account on all the laptops that ONLY connects to an available internet connection and triggers the VPN connection.

You can do this in such a way that not even the taskbar or desktop icons show up in this limited account

Once the VPN is connected have the remote user who could not be bothered to follow instructions press CTRL-ALT-DEL and select Change Password. In this dialog you can change passwords BESIDES the logged in account simply by entering the domainusername of the account you wish to cache. Once the user has changed the password for their own account on this computer, the accounts credentials will then be cached, and they'll be able to log in normally.

There's still a little punishment because they had to change their password, but that should hopefully serve as reminder to do things the right way next time.

Not debating on whether it is correct practice or not. But the only way to cache credentials in windows is using credentials manager. You can script using command line tool "cmdkey" like this :

cmdkey /add:server01 /user:mikedan /pass:Kleo