Cached credentials - which groups are preserved in the token?

Discussion in 'Active Directory' started by fpbear, Mar 24, 2007.

  1. fpbear

    fpbear Guest

    I couldn't find clear Microsoft documentation on this. If a domain user
    disconnects the laptop from the domain, does the cached credential preserve
    the domain global or domain local group tokens?

    If I understand correctly, I know that it does not preserve domain universal
    group tokens in a multi-domain setup (requires the GC), and that the cached
    credential does preserve the local tokens (local to the computer).

    I am totally confused on the middle case, whether the user cached credential
    will still have the SIDs for domain global or domain local groups.

    This is important because we apply NTFS file permissions, and application
    access based on the domain group, and we cannot lock users out of these
    folders, and lock out the application, just because they disconnect the
    laptop on travel.
     
    fpbear, Mar 24, 2007
    #1
    1. Advertisements

  2. fpbear

    Herb Martin Guest

    It should (really must but I haven't checked) since it the user must be able
    to
    access anything on the SAME machine which he/she could access if on the
    net.
    I will be surprised if it doesn't preserve Global groups, but not totally
    shocked.
    That would be an interesting piece of information.
    Have you test it? It will take 10 minutes.
     
    Herb Martin, Mar 24, 2007
    #2
    1. Advertisements

  3. fpbear

    fpbear Guest

    Thanks Herb. We have to finish the system design this week before the lab
    with the domain controller is ready. So we cannot test it first. Hopefully
    someone on this forum will know the definite answer; it will be interesting
    to all to find out how if domain global group SID is cached when
    disconnected.
     
    fpbear, Mar 24, 2007
    #3
  4. Jorge de Almeida Pinto [MVP - DS], Mar 24, 2007
    #4
  5. fpbear

    fpbear Guest

    thanks Jorge,
    This is the part that is not clear. The reason a user would be prevented
    from getting to network related resources is because the domain local,
    domain global, or domain unversal group SID is not cached, and the network
    resource is protected using one of these groups. I know the universal group
    will not be cached in multi-domains, but the other two are the mystery.

    hmmmm...
     
    fpbear, Mar 24, 2007
    #5
  6. fpbear

    Herb Martin Guest

    "Jorge de Almeida Pinto [MVP - DS]"
    Jorge is question is more subtle:

    Do network (domain) groups WORK as expected for access
    to LOCAL resources?

    Are there differences between Local (domain and computer),
    Global, and Universal groups in this regard?

    A user with membership in various groups logs onto a computer,
    access various resources with various groups allowing or denying
    access.

    The user logs off; disconnects the computer from the network; and
    logs back onto the computer with CACHED credentials.

    What can and cannot the user access, what are the differences, based
    on the membership in domain Local, Global, and Universal groups?

    I believe there is no difference -- that essentially what gets cached is
    a locally valid (only) copy of the Security Access Token used last on
    the domain.

    Therefore (if I am correct) the membership of all groups is effectively
    available -- but only for local resources -- when that user is using
    cached credentials.
     
    Herb Martin, Mar 24, 2007
    #6
  7. I tried all type groups.. all worked

    global, domain local, universal

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * How to ask a question --> http://support.microsoft.com/?id=555375
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------
     
    Jorge de Almeida Pinto [MVP - DS], Mar 25, 2007
    #7
  8. fpbear

    Herb Martin Guest

    "Jorge de Almeida Pinto [MVP - DS]"
    That is what I expected. Thanks for checking.
     
    Herb Martin, Mar 25, 2007
    #8
  9. fpbear

    fpbear Guest

    Thanks for checking Jorge.

    When Microsoft says that network resources will be unavailable with cached
    credentials, I am guessing that this means the Kerberos tickets are gone.
    While tokens are cached forever, the Kerberos tickets to network resources
    can expire.

    Another interpretation is that Microsoft simply means that when you are
    using cached credentials, you are obviously not connected to the domain's
    network, and therefore you can't access files on the network. This seems
    too obvious to be the reason.

    It sounds like all of the SIDs in the cached token remain, and the token is
    not "reconstructed" to strip out the domain groups when the network is
    disconnected.

    Hopefully also the cached token will work just the same when used with
    domain global groups nested under local groups.

    With no Microsoft documentation on this we are guessing in the dark and the
    MVP advice is very valuable. Thanks!!
     
    fpbear, Mar 25, 2007
    #9
  10. fpbear

    Herb Martin Guest

    Or expired most likely.
    Pretty much the way I understand it. Even with NTLM tokens in NT these
    could expire or be marked as locally cached somehow.
    No. If a "Domain Server" is ONLINE with you while using cached credentials
    access to it will be rejected.

    Local means local because your credentials are only valid on the same box.
    That is my understanding and what Jorge confirmed.
    Jorge said he TRIED it and he is one of the "smart folks" so I am convinced
    and this is my long experience even though I have never actually tested it.
    No, not "guessing" -- Jorge tested it and there is not reason logically to
    doubt it
    anyway -- even though it was a good question.
     
    Herb Martin, Mar 25, 2007
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.