Tuesday, November 30, 2010

VPN User Migration Challenge and Cached Credentials

One of the challenges you might run into during the user and computer migration is the VPN or offsite user migration. Most of these users will be using their Cached Credentials to log into the Domain.  These Cached Credentials won’t be available after the domain membership change. So users won’t be able to login after the computer migration. I have seen many articles and blogs talk about caching the target credentials prior to the computer migration using Runas command, running a Schedule job, Creating a custom service using the target account etc. I have tested many of these options in the lab but none of these option would work because the Cached Credentials will clear from the registry after the Domain membership change.

As you can see in the following screenshot, I have all the Cached Credentials before the migration:


After the domain membership change, these values will get cleared from the registry as shown in the following screenshot:


However, when you move a computer to a Workgroup, the Cached Credentials won’t get cleared.

Here are some of the workarounds or options for migrating VPN users if they can’t come into the office during the migration.


If you are using Microsoft VPN client, You can use Log on using dial-up connection option as shown in the following screenshot:


This option will establish a VPN connection prior to the domain login process. Most of the third party VPN software has this functionality.  You might need to enable this option. 

Option #2

You can also create a local user account on the workstation and login locally using this account after the computer migration.  Then establish a VPN connection and access a resource using the target account (runas /user:targetdomain\targetuser notepad.exe) .   This process will cache the credentials in the registry.  But you need to provide the local user account information to the user and you need to make sure the VPN software is configured for all user profiles including local user profiles.

Option #3

Most of the third party migration tools provide VPN user migration functionality. The Microsoft ADMT doesn’t have this functionality. So you have to use one of above mentioned options.

Other Related Articles:

Active Directory Migration Using ADMT - http://www.sivarajan.com/admt.html

Computer Migration - Things to Consider - http://www.sivarajan.com/cm.html

User Account Migration and Merging Using ADMT - http://www.sivarajan.com/


Great article! I'm really appreciated for it. As soon as I get back home from Las Vegas trip https://worldcams.tv/united-states/las-vegas/strip (visiting local casinos and the Grand Canyon was my dream) I'll study it more precisely.

Post a Comment

Popular Posts


Twitter Delicious Facebook Digg Stumbleupon Favorites More