I recently implemented LAPS in our environment, but I'm concerned about previously entered domain admin credentials that have been cached on workstations. I'm considering adding domain admin accounts to the "Protected Users" group to stop further caching. Is that the right move? Also, what's the best method to remove the cached credentials that are already stored?
3 Answers
Also worth noting, by adding your domain admin accounts to the "Protected Users" group, you can help prevent future credential caching. Just be sure to double-check that all systems can handle it, as this might change how those accounts can be used on certain devices.
You could simply change the passwords for the domain admin accounts to invalidate any cached credentials. Just keep in mind that if someone is still logged in with the old credentials and their machine gets reconnected to the network, they could still access resources. So, it’s a good idea to take additional steps on the endpoints for tighter security.
If you're focusing on endpoint protection, you can use specific commands to clear out cached credentials. For instance, the command: `reg delete HKEY_LOCAL_MACHINESECURITYCACHE /va /f` will wipe out all cached credentials from the system. This is often used when shutting down machines after remote terminations to ensure no credentials are lingering.

Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures