Hi to all, we have an AD Windows 2008 and clients running Windows 7 . The scenario is this: We have programs that in order to update or write to some locations need elevated privileges.. so the user gives some kind of 'master' account that we give who is in the Domain Admins group and has permission for this... After this operation we change the password for this master account, BUT in EVERY workstation that it has been used even ONCE this PC remembers for ever the LAST password entry except if someone puts the current one!.. Somekind of local cache? How we can avoid this? Thank you! P.S. It's supposed that this is the use for UAC for admins under domain! To give an admin account to the user to accomplish a task and after this the admin to be able to disable this admin account or change the password to prevent the user of using UAC again with this admin account, right?

Hi, Based on my understanding, the UAC doesnot remember user's password. You may take a screenshot to let us understand it better. Also, please check the Credential Manager in Control Panel.Juke Chou TechNet Community Support

Hi thank you for answer. I don't think that with a screenshot you will understand much... Let me describe steps: 1. Windows 2008 AD Domain.. 2. Workstation joined on domain with normal User Account (just user) 3. Except Domain Administrator there is a "MASTER" user who belongs to Domain Admins group... 4. On workstation logged on as USER, a program tries to update itself and don't have rights to write on the folder so UAC takes place with secure desktop and asks for credentials... 5. User put the "MASTER" credentials account and the operation is done... 6. The Administrator CHANGES the "MASTER" account password to a new password 7. The User on workstation tries to do a 'prohibited' operation... The UAC comes up again secure desktop and asks for credentials.. IF the user puts the old "MASTER" password it passes normally!!!.. Even after logout, even after restart even after many hours, days.... 8. The OLD "MASTER" password will remain active on the SPECIFIC workstation as long as the user uses it!.. If for any reason he or the admin uses the NEW password that was normally set in AD, the workstation starts to remember this last one!!! (this happens every time!!!) I hope this is clear now!!.. And everyone who could test it it would be very interesting to post results here! Thanks!

I've just tested this and it does indeed happen. This is because it is using cached credentials to authenticate. The first time you enter the account it should authenticate against the AD as it has no other way to check the account. However, once this is done the details will be cached as a profile is created for the MASTER user (look in C:\Users). Subsequent attempts would use the cached credentials as they don't need to authenticate against AD becuase its only interested in whether the account is an admin account (i.e. in the Administrators group) locally and it would authenticate the crednetial against the cached copy. UAC is giving you admin rights locally on the workstation so as long as the account is a valid account in the Administrators group on the workstation then it will pass. If you delete the cached profile then it would fail as it would no nothing about the account. I would not recommend using an account with Domain Admin rights as this is not neccessary. You only need an account with Admin rights on the workstations. You could create an AD account and use group policy to add the account to the local administrators group of all workstations. Obviously you still have the same issue but at least the account has less rights. At the moment I can't really think of a way around this. Maybe you could create a locally admin account on each machine (via GPO for example) and then enable the account when the user needs to use it and disable it when they dont, which you should be able to do remotely providing you haven't blocked remote management. Regards qSilverx

Thank you very much for the details and your thoughts about the case.. The locally admin account seems to be a solution, but i wanted to avoid the remote access (ie i was away from the office and was on call) because if i am going to use remote access then i, as administrator would put my credentials and do the task... The target is to remove this 'load' from the admin! :) And am not sure but wondering what is the use of UAC then!!! If i have to give these credentials to the user, i should be able to revoke access through them as well! Because if the user knows credentials with admin rights, then what is the use of 'user' ? Thank you!

for a managed environment you would normally not provide admin credentials to user unless they needed them to perform their job, in which case you would normally make either their account an admin or give them thier own second set of credentials. In this case where we are talking about updating applications, these should really be managed centrally and updated using a tool which can perform the update using an appropriate account. Obvoisuly this does rather depend on the size of the company. UAC is really there to either stop a standard user from performing an admin action they shouldn't or inform an admin user that something is trying to do something to the computer which is potentially risky. I see what you are trying to achieve and it is a good idea, unfortunately it does not seem to work as you wanted. Maybe you could have a scheduled task that deletes the MASTER profile every so often or something like that.Regards qSilverx