Remove a cached credential

[Guest JN]

I have an odd problem. I recently had to change my user's naming

convensions from just their name to first initials + last name. I did this

pretty easily by just changing the users logon names in AD so all their SIDs

stayed the same and I also updated their profile and home directory names

(%USERNAME%) to reflect the new logon name.

 

I have a problem with some laptop users where they occasionally make the

mistake of using their old username when they are not on the network. When

they are on the network it is fine because they get denied logon because of

the non-existing name on the domain but when they are at home, the laptop

allows them to logon with the old name and that ends up screwing up some

things in their user profile until they get back into the building for me to

fix.

 

I know I can disable caching logons, but I don't want to do that for obvious

reasons for the laptop users. Is there a way I can just gut on the one old

logon name from the cache?

[Guest JN]

Re: Remove a cached credential

 

Never mind. I found out how to do it without having to mess with GPOs.

 

I got the idea from another work around that I saw for gaining access to the

system under the system account.

 

1. use AT to run CMD.EXE one minute from now (12:00) as follows:

at 12:01 /interactive cmd.exe

 

2. This will open a command windows at 12:01.

 

3. CTRL +ALT + DEL and kill explorer.exe process.

 

4. from the command window type explorer.exe and you will be running as the

SYSTEM account.

 

5. Open Regedit and go to HKLM\Security\Cache and export the keys to a .reg

file.

 

6. Edit the REG file so all the keys that look like NL$1 - 10 are padded

with 00

 

I would have rathered find the right key for the credentials I wanted to

delete, but this just clears them all for sure. Now you just need to logout

and log back in again and just the accounts you use from that point on start

the cache again.

 

"JN" <me@here.com> wrote in message

news:ucJENi%239IHA.1200@TK2MSFTNGP04.phx.gbl...

>I have an odd problem. I recently had to change my user's naming

>convensions from just their name to first initials + last name. I did this

>pretty easily by just changing the users logon names in AD so all their

>SIDs stayed the same and I also updated their profile and home directory

>names (%USERNAME%) to reflect the new logon name.

>

> I have a problem with some laptop users where they occasionally make the

> mistake of using their old username when they are not on the network.

> When they are on the network it is fine because they get denied logon

> because of the non-existing name on the domain but when they are at home,

> the laptop allows them to logon with the old name and that ends up

> screwing up some things in their user profile until they get back into the

> building for me to fix.

>

> I know I can disable caching logons, but I don't want to do that for

> obvious reasons for the laptop users. Is there a way I can just gut on

> the one old logon name from the cache?

>

>

>