Reset the cached domain password for remote workers

Due to the global pandemic crisis users are working remotely more than ever. For IT departments, this has meant more time supporting these users. Support calls lower user productivity for users, and strain service desk resources. To ensure business continuity, organizations need to off-load service desk calls. This can be done by implementing essential self-service tools.

Routine requests for password resets continue to be the leading support call driver. Gartner estimates that between 20% to 50% of all support calls are related to password resets. Allowing users to securely manage their own passwords will not only reduce the number of calls, but also the associated risk with service desk resets, especially if the service desk does not have a secure process for verifying users.

When considering a self-service password reset solution for remote workers, you will need to consider how the locally cached credentials are handled.

When a user signs into a domain-joined computer while in the office, a cached copy of their password hash is stored locally on their machine. This allows the computer to verify the user, if a domain controller cannot be reached for authentication, and enables access to network resources, even when working remotely.

The cached credentials lockout challenge

If your organization is enforcing password expirations, and a remote user fails to update their password before it expires, they will not be able to logon to VPN, or remote desktop. Any attempts to change or reset their password on their own, without a VPN or remote desktop connection, will fail. The only solution is to contact the service desk and have them reset the password. However, that process can be cumbersome, as outlined in this remote password reset blog.

By design, Microsoft does not offer any solutions to update the locally cached credentials. In fact, organizations using Azure AD Self-Service Password Reset to reset passwords using password write-back should note that updating cached credentials is not supported.

Preventing password expirations

You can get around this issue by identifying which accounts have passwords that are approaching expiration. Our password notification tool can be used to send password expiration reminders to users encouraging them to change their passwords before they expire.

How to reset the cached domain password

If you’re interested in eliminating password reset calls to the service desk with a solution that can also update locally cached credentials, check out Specops uReset. The solution allows users to securely reset, change or unlock their accounts from anywhere, and any device. User adoption is streamlined with pre-enrollment with their mobile number from Active Directory. This means that they can immediately receive one-time codes to verify their identity during a self-service password reset.

(Last updated on August 29, 2023)

Back to Blog