IT support desk wants software that stops passwords from being cached for windows users
"I work in the technology business (IT Support desk for a major Fortune 500 printer/copier company). Our help desk supports internal employees with their company-issued computer and mobile device issues.
One of the problems that we face on a daily basis is that employees' Windows login accounts to the company domain get "locked out." Locking out is a feature that Windows implements to prevent user logon after a certain number of wrong password attempts. Our company's limit is 5. Since users are required to change passwords every 90 days, these issues are frequent. The lockout feature is there to prevent hacking or trying to "guess" another user's password, but the problem comes when users get locked out when they are not at the computer and nobody is typing anything. Or, it happens overnight. This is due to a few factors. One is that older passwords (due to the frequent changes) get accidentally cached in the PC's password vault when the user did not intend for them to be. Or, if they use programs like Remote Desktop, logins could be cached out on the domain controllers in the virtual cloud and automatically trying to authenticate every so often ("remote procedure call" etc).
I think that some kind of software should be implemented that would either prevent the passwords from being cached, or at least alert the user or the domain administrators that a cached password is present and may lock the user out of the system if not removed, or something similar. The software could be installed locally in each Windows PC and also on the domain server PC's. On the local PC the user would be alerted; in the domain aspect, the admins would get an alert and could go check that domain controller's password cache. I would also suggest having an option to "Prevent password caching on this workstation/server" after closing the alert. It would be a good idea for the admins to create a policy that prevents users from turning the software off or disabling alerts. I really feel that this would help a lot of the lockouts from happening automatically and "on the back end." It would prevent users' work from being crippled due to being locked out of the network.
I would pay a good price for this software because I think it would increase profits for the company. The reason being that fewer employees, particularly sales employees, would have their work crippled by network lockouts. They would therefore have more time to get their work done by selling the company's product."