Sunday, June 21, 2009

Create cached credentials without an interactive logon using runas or logonusera

Useful tidbit I used in a migration once upon a time…. you can create the cached credentials for a domain user by using runas.exe or coding with logonusera in some code then you’ll be able to logon interactively as that user from ctrl+alt+del without the domain being avaialble at logon. This works as long as the machine’s domain is not changed. Changing the domain can change the cert / hashing using to hash and store the credentials in the registry and also can force the OS to clear all cached credentials. I’ve found this useful when migrating users where the VPN solution is only available after logon and not at the logon screen. Obviously if you can see the domain at the logon screen then it doesn’t matter… also if you want to create an admin back door, for use when a user is roaming for remote debugging and support, using a domain account and not a local account you can send the code to create the cached credentials and not have to logon interactivel

No comments:

Post a Comment

Search Brian Hehir's sites