Pricing  Get Quote

Cached Credentials

Active Directory cached credentials update using ADSelfService Plus

Start a free trial

Updating Windows cached credentials over VPN

Remote users often struggle to reset expiring passwords and update their machine's outdated credential cache because they lack a connection to Active Directory. And in instances when they lose machine access due to an expired password, they are unable to reach out to the help desk for assistance and experience decreased productivity.

ADSelfService Plus, an identity security solution with adaptive MFA, SSO, and password management capabilities, enables users to securely reset their Active Directory passwords even when they have no connection to Active Directory. It automatically updates the cached domain credentials on their Windows machines remotely using a VPN.

What are Active Directory cached credentials?

When a user logs in to an Active Directory domain for the first time, the login credentials are cached locally on their machine. These cached credentials are updated each time the machine is connected to Active Directory, i.e., to the corporate network, during login. When a remote user who is not connected to the corporate network logs in to their machine, their login information is verified locally against the cached credentials stored on their machine. If the verification succeeds, they can access the machine. In short, cached credentials allow users to log in to their machines even when they have no way of reaching the Active Directory domain controller for authentication.

Can cached credentials cause account lockouts?

A significant issue faced by remote users is a mismatch caused by outdated cached credentials that blocks them from accessing their machine. Mismatches in cached credentials are likely to occur when users utilize more than one device for work. Let us consider an employee working in the hybrid model using two different devices—a desktop device at the office and a laptop at home. Say the employee recently changed their Active Directory password while working from the office on their domain-connected desktop device. Their laptop's cached credentials would still contain the old password since the device does not have a connection to the corporate network for an update. Forgetting this, the employee may try to log in with their new password on their laptop while working remotely, and they may get locked out after multiple attempts.

Alternatively, let us assume that after a couple of attempts, the employee realizes that their laptop still has the old password cached and continues to use it during login. However, in an unlikely circumstance, if the employee happens to bring their laptop to the office, it gets connected to the corporate network, and the cached credentials get updated without their knowledge. The employee now might habitually enter their old password during login and get locked out after multiple attempts.

How to update Windows cached credentials without connecting to a domain controller

ADSelfService Plus updates remote users' cached credentials after every password reset or change via VPN. It comes bundled with a GINA/CP client, also known as the Windows login agent, that allows remote users to perform secure self-service password reset right from their login screens and forcefully updates their Windows machine's cached credentials afterwards through VPN.

How the Windows cached credentials update works in ADSelfService Plus

Here's how remote Windows users can update their local cached credentials using ADSelfService Plus.

Cached Credentials Update
  • When a remote user forgets their Active Directory password, they can use ADSelfService Plus’ login agent to reset their password from their login screen. For more information about the login agent, click here.
  • ADSelfService Plus resets the user's password in Active Directory and notifies the login agent that the reset operation was successful.
  • The login agent then establishes a secure connection with Active Directory through a VPN client, like Fortinet or Cisco AnyConnect, and initiates a request to update the user's local cached credentials.
  • After the request is approved by Active Directory, ADSelfService Plus forces a cached credentials update on the user's machine.

Windows versions that support cached credentials update using ADSelfService Plus

Windows server versions: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008

Windows client versions: Windows 11, Windows 10, Windows 8.1, Windows 8, Windows 7, and Windows Vista

VPN providers that ADSelfService Plus supports for Windows cached credentials update

  • Fortinet
  • Cisco IPSec
  • Cisco AnyConnect
  • Windows Native VPN
  • SonicWall NetExtender
  • Checkpoint EndPoint Connect
  • SonicWall Global VPN
  • OpenVPN
  • Custom VPN

Benefits of updating Windows cached credentials using ADSelfService Plus


    Reduce password reset calls

    Empower remote users with self-service password reset and cached credentials update features, and limit password-related help desk tickets.


    Improve employee productivity

    Give remote users the ability to regain access to their machines quickly even if they forget their passwords, which helps avoid any major business interruptions.


    Reduce costs

    Resetting passwords through help desk assistance and connecting machines to the corporate network for a cached credentials update are both time-consuming and expensive processes, which can be easily eliminated using ADSelfService Plus.

Empower remote users to reset passwords and
update Active Directory cached credentials

Download now  

ADSelfService Plus also supports


    Adaptive MFA

    Enable context-based MFA with 19 different authentication factors for endpoint and application logins.

    Learn more  

    Enterprise single sign-on

    Allow users to access all enterprise applications with a single, secure authentication flow.

    Learn more  

    Remote work enablement

    Enhance remote work with cached credential updates, secure logins, and mobile password management.

    Learn more  

    Powerful integrations

    Establish an efficient and secure IT environment through integration with SIEM, ITSM, and IAM tools.

    Learn more  

    Enterprise self-service

    Delegate profile updates and group subscriptions to end users and monitor these self-service actions with approval workflows.

    Learn more  

    Zero Trust

    Create a Zero Trust environment with advanced identity verification techniques and render your networks impenetrable to threats.

    Learn more  

ADSelfService Plus trusted by