Do domain service accounts benefit from cached credentials?

Question

When a domain user successfully logs on to a domain-joined computer, the user's domain credentials are cached so that the user can logon again if the domain controller is unavailable (eg the computer is disconnected from the network).

If the domain-joined computer is running a Windows service as a domain service account and the computer restarts, will the service start if there is no domain controller available?

Secondly, if the afore mentioned service attempts to authenticate to and communinicate with a second local service, will it succeed?

score 5 · Answer 1 · answered Aug 23 '10 at 19:22

5

I'm 90% certain that cached credentials apply only to interactive logins.

answered Aug 23 '10 at 19:22

Kara Marfia

7,892
5
33
57

My experience as well, like MSSQL or Exchange services in domain user context not starting if there're no DCs around at all on bootup... though YMMV – Oskar Duveborn Aug 23 '10 at 19:31
I'm 99.9% certain it's interactive logins only. – Chris S Aug 23 '10 at 19:52
@Oskar: all Exchange services usually run as LocalSystem, LocalService or NetworkService; they don't start if there's no DC around because Exchange relies *quite heavily* on Active Directory, not due to authentication failures. Just wanted to point this out :-) – Massimo Aug 23 '10 at 19:56
Yeah I was gonna remove the Exchange mentioning from the comment and then forgot... ^^ – Oskar Duveborn Aug 24 '10 at 07:17

score 1 · Answer 2 · answered Aug 23 '10 at 20:50

1

It is for interactive logons only. See the MS KB.

answered Aug 23 '10 at 20:50

Nasko

727
3
5

score 0 · Answer 3 · answered Jul 06 '17 at 10:43

0

Cached credentials applies to services as well.

Source: https://technet.microsoft.com/en-us/library/hh994565(v=ws.10).aspx

answered Jul 06 '17 at 10:43

rillo

1

score 0 · Answer 4 · edited Jul 31 '17 at 14:48

As per https://technet.microsoft.com/en-us/library/hh994565(v=ws.10).aspx it is only for "Account passwords for Windows services that are configured on the computer". Not for all applications.

LSA secrets on the hard disk drive

A Local Security Authority (LSA) secret is a secret piece of data that is accessible only to SYSTEM account processes. Some of these secrets are credentials that must persist after reboot, and they are stored in encrypted form on the hard disk drive. Credentials stored as LSA secrets might include:
Account password for the computer’s AD DS account

Account passwords for Windows services that are configured on the computer

Account passwords for configured scheduled tasks

Account passwords for IIS application pools and websites

Do domain service accounts benefit from cached credentials?

4 Answers4