Flexible Security For Your Peace of Mind

Reset the cached domain passwords

When employees change their domain passwords, they may still run into issues if their devices have stored old credentials. To avoid login failures and security risks, it’s crucial to reset the cached domain passwords on local machines. Whether employees are working remotely or in the office, ensuring their devices sync with the latest credentials helps maintain seamless access to corporate resources. In this guide, we’ll walk you through how to reset cached domain passwords and ensure a smooth authentication process.

Routine requests for password resets continue to be the leading support call driver. Gartner estimates that between 20% to 50% of all support calls are related to password resets. Allowing users to securely manage their own passwords will not only reduce the number of calls, but also the associated risk with service desk resets, especially if the service desk does not have a secure process for verifying users.

When considering a self-service password reset solution for remote workers, you will need to consider how the locally cached credentials are handled.

When a user signs into a domain-joined computer while in the office, a cached copy of their password hash is stored locally on their machine. This allows the computer to verify the user, if a domain controller cannot be reached for authentication, and enables access to network resources, even when working remotely.

The cached credentials lockout challenge

If your organization is enforcing password expirations, and a remote user fails to update their password before it expires, they will not be able to logon to VPN, or remote desktop. Any attempts to change or reset their password on their own, without a VPN or remote desktop connection, will fail. The only solution is to contact the service desk and have them reset the password. However, that process can be cumbersome, as outlined in this remote password reset blog.

By design, Microsoft does not offer any solutions to update the locally cached credentials. In fact, organizations using Azure AD Self-Service Password Reset to reset passwords using password write-back should note that updating cached credentials is not supported.

Preventing password expirations

You can get around this issue by identifying which accounts have passwords that are approaching expiration. Our password notification tool can be used to send password expiration reminders to users encouraging them to change their passwords before they expire.

How to reset the cached domain password

By following these steps, users can reset their cached domain passwords with Specops uReset and regain access without IT intervention. This ensures business continuity and improves overall security by preventing login issues caused by outdated credentials. For any questions or issues, please refer to our customer support.

  1. Initiate a Password Reset with Specops uReset

    If the user has forgotten their password or needs to change it, they can access Specops uReset from the login screen or the self-service portal.
    Click on “Forgot Password?” or visit the uReset web portal.

  2. Verify Identity Through Multi-Factor Authentication

    Specops uReset will prompt the user to authenticate using pre-configured identity services such as: Mobile verification, Biometrics, Email authentication, Security questions.
    After successful verification, the user can proceed with resetting their password.

  3. Create a New Domain Password

    Enter a new password that meets the organization’s security policies.
    Confirm the new password and complete the reset process.

  4. Connect to the Corporate Network (If Possible)

    If the device is connected to the corporate network (via VPN or physically), the new password should sync automatically.
    Users should try logging in with the new password to verify successful synchronization.

  5. Manually Update Cached Credentials (For Offline Users)

    If the user cannot connect to the corporate network:
    – Restart the device.
    – At the login screen, enter the old password once. If login fails, try the new password.
    – If both attempts fail, click on “Reset Password” (if uReset is installed on the login screen).
    – Authenticate using multi-factor authentication again and reset the password locally.

  6. Verify Successful Login

    Once logged in, test access to corporate resources (email, VPN, or shared drives) to confirm the password is fully synced.
    Encourage users to reboot once more to ensure the cached credentials are updated correctly.

If you’re interested in eliminating password reset calls to the service desk with a solution that can also update locally cached credentials, check out our password management solution Specops uReset. The solution allows users to securely reset, change or unlock their accounts from anywhere, and any device. User adoption is streamlined with pre-enrollment with their mobile number from Active Directory. This means that they can immediately receive one-time codes to verify their identity during a self-service password reset.

(Last updated on March 31, 2025)

Back to Blog

Related Articles

  • Reset passwords with mobile app

    We know what it’s like to get blasted with helpdesk calls after every holiday and vacation period. As long as people use passwords, people will forget passwords. Which is why we’ve made resetting passwords even easier with our mobile app. The Specops Password Reset app is available to all of our password reset customers, as…

    Read More
  • Resetting the clock on Active Directory password expiration

    I recently worked with a customer who was implementing Specops Password Policy with Length-Based password aging. Usually we see customers use this to extend their maximum password age, for example: the current Active Directory maximum password age is 90 days; Specops length-based aging will be configured with the same ‘tier 1’ maximum password age, but users…

    Read More
  • Resetting password? Just put your finger on it

    It’s no secret that people hate passwords. Organizations often require passwords to be at least eight characters long and include lowercase letters, uppercase letters, number and special characters. While these complexity requirements barely make passwords secure, they are enough to cause headaches to users because human brains are not designed to remember random passwords. With…

    Read More

© 2025 Specops Software. All rights reserved.

This website uses cookies to ensure you get the best experience on our website. Learn more

Got It!