What is the Credential Manager?

Credential Manager is the "digital locker" where Windows stores

log-in credentials (username, password, etc.) for other computers
on your network, servers or Internet locations such as websites.
This data can be used by Windows itself or other applications that
know how to use it, such as: Windows Explorer, the tools included
in Windows Live Essentials, Microsoft Office, Internet Explorer or
applications for running virtual machines (such as Windows Virtual
PC).

The credentials are split into three categories:

Windows Credentials - are used only by Windows and its

services. For example, Windows can use this data to automatically
log you to the shared folders of another computer on your
network. Or, to store the password of the Homegroup you have
joined and use it automatically each time you access what is
being shared. If you type a wrong log-in credential, Windows
remembers it and fails to access what you need. If this happens,
you can edit or remove the incorrect credential, as shown in later
sections of this article.

Certificate-Based Credentials - they are used together with

smart-cards, mostly in more complex business network
environments. Most people will never need to use such
credentials and this section will be empty on their computers.
However, if you want to know more about them, check this article
from Microsoft: Guidelines for enabling smart card logon with
third-party certification authorities.

Generic Credentials - are defined and used by some of the

programs you install, so that they get the authorisation to use
certain resources. One very common example of a generic
credential is your Windows Live ID, stored and used by the tools
included in Windows Live Security Essentials.

These credentials are automatically stored and managed by

Windows and the applications you are using. Unless you want to
know which credentials are stored on your computer or you need
to remove or edit an incorrect one, you wont need to use the
Credential Manager.

Important: Windows 8 adds one more type of credentials called

Web Credentials. As the name implies, such credentials are used
by Internet Explorer to automatically log you into certain
websites.

Kinds of Credentials

The Credentials Management API works with two kinds of

credentials:

Domain Credentials

Generic Credentials

Domain Credentials

Domain credentials are used by the operating system and

authenticated by the Local Security Authority (LSA). Typically,
domain credentials are established for a user when a registered
security package, such as the Kerberos protocol, authenticates
logon data that is provided by the user. The logon credentials are
cached by the operating system so that a single sign-on gives the
user access to many different resources. For example, network
connections can occur transparently, and access to protected
system objects can be granted based on the user's cached
domain credentials.

Credentials Management functions provide a mechanism for

applications to prompt a user for domain credentials after the
user logs on, and to have the operating system authenticate the
information that is provided by the user.

The secret part of domain credentials, the password, is protected

by the operating system. Only code running in-process with the
LSA can read and write domain credentials. Applications are
limited to writing domain credentials.

Windows supports expanded use of smart card and certificate

credentials. To help ensure security, the Credentials Management
API never stores the smart card PIN on the computer.

Generic Credentials

Generic credentials are defined and authenticated by applications

that manage authorization and security directly instead of
delegating these tasks to the operating system. For example, an
application can require users to enter a user name and password
provided by the application or to produce a certificate to access a
website.
Applications use Credentials Management functions to prompt
users for application-defined, generic, credential information,
such as user name, certificate, smart card, or password. The
information entered by the user is returned to the application for
authentication.

Credentials Management provides customizable cache

management and long-term storage for generic credentials.
Generic credentials can be read and written by user processes.

We get questions about Active Directory credential caching quite

often from customers and prospects. Since we provide Active
Directory solutions, it would make sense that we have insight into
AD credentials caching in Windows but the caching mechanism is
actually a function of the client and not the server. We take a
closer look at some best practices to avoid account lockout issues
when cached credentials and AD credentials become out of sync.

Understanding cached credentials is particularly important when

working with remote users in a SSPR (self-service password reset)
scenario. Basically, this scenariosupported with solutions like
Web Active Directorys PeoplePassword productoccurs when
users who dont regularly log directly into a domain and
authenticate against a domain controller forget their Windows
password. This includes VPN-connected users as well as users
who take advantage of resources like portals that store user
credentials in AD. The important part here is that the user is not
authenticating directly against a Windows domain controller for
authentication. An SSPR solution allows the AD credentials to be
reset but does nothing to affect the cached credentials on the
client machine.

Windows Credential Caching

SSPR solutions typically allow a user to easily reset her Active

Directory password. This is great when a user is authenticating
directly against a domain controller but not so good when a user,
especially a remote user, is logging onto a machine or a VPN
connection using Windows cached credentials.

What are Cached Credentials?

Cached credentials allow a user to access machine resources

when a domain controller is unavailable.

After a successful domain logon, a form of the logon information is

cached. Later, a user can log on to the computer by using the
domain account, even if the domain controller that authenticated
the user is unavailable. Because the user has already been
authenticated, Windows uses the cached credentials to log the
user on locally. For example, suppose a mobile user uses a
domain account to log on to a laptop that is joined to a domain.
Then, the user takes the laptop to a location where the domain is
unavailable. In this scenario, Windows uses the cached
credentials from the last logon to log the user on locally and to
allocate access to local computer resources.
Administrators:
Description: Members of this group have full control of all
domain controllers in the domain. By default, the Domain Admins
and Enterprise Admins groups are members of the Administrators
group. The Administrator account is also a default member.
Because this group has full control in the domain, add users with
caution.
Default user rights: Access this computer from the network;
Adjust memory quotas for a process; Back up files and directories;
Bypass traverse checking; Change the system time; Create a
pagefile; Debug programs; Enable computer and user accounts to
be trusted for delegation; Force a shutdown from a remote
system; Increase scheduling priority; Load and unload device
drivers; Allow log on locally; Manage auditing and security log;
Modify firmware environment values; Profile single process; Profile
system performance; Remove computer from docking station;
Restore files and directories; Shut down the system; Take
ownership of files or other objects.

Domain Admins:
Description: Members of this group have full control of the
domain. By default, this group is a member of the Administrators
group on all domain controllers, all domain workstations, and all
domain member servers at the time they are joined to the
domain. By default, the Administrator account is a member of this
group. Because the group has full control in the domain, add
users with caution.
Default user rights: Access this computer from the network;
Adjust memory quotas for a process; Back up files and directories;
Bypass traverse checking; Change the system time; Create a
pagefile; Debug programs; Enable computer and user accounts to
be trusted for delegation; Force a shutdown from a remote
system; Increase scheduling priority; Load and unload device
drivers; Allow log on locally; Manage auditing and security log;
Modify firmware environment values; Profile single process; Profile
system performance; Remove computer from docking station;
Restore files and directories; Shut down the system; Take
ownership of files or other objects.

These groups are the most powerful in a domain and should NOT
be used for day-to-day (lower level) administration. That's the
beauty of Active Directory Domain Services. You don't need god-
like rights to operate a domain (create users, groups, manage
attributes, etc.) and should not use these accounts for this kind of
administration.
Additionally, don't logon locally to your workstations, notebooks
etc. with these accounts. Doing so leaves data behind on the
computer that is possible to compromise of the domain.

The domain admins group, and the AD builtin\Adminstrators

group (not the local admin group on clients) effectively grant
users in them the same rights, however there are some subtle
differences:

builtin\administrators is a domain local group, where as domain

admins is a global group

Domain admins are a memeber of builtin\administrators

Domain admins are a member of the local admins group on

each client pc

The builtin\administrators group is there to provide backwards

compatibility with pre-AD systems
The bultin/administrators group is created by default when you
install Windows. This group has complete and unrestricted access
to the computer. By default the only user account that is a
member of this group is Administrator.

The Domain Administrators group is only present in a Windows

domain. This group has complete and unrestricted access to the
entire domain, able to logon to any pc or server that is a member
of the domain.

When a pc/server is added to a domain, the domain admins group

automatically becomes a member of the builtin/administrators
group, thus providing the domain administrators administrator-
level access to the computer.

If you moved an account from the domain admins group to the

builtin/adminstrators group, that account would be able to
administer that local computer but nothing else, unless you added
the account to other builtin/adminstrators groups.

Domain admins can administer entire domain including all your servers, AD etc.
If you add your user to local administrator group on a workstation his rights are
limited to this workstation and this is probably what you need.

Many people have asked me this question on What is the difference

between an Enterprise Admin and a Domain Admin group in an Active
Directory environment? for an example the Enterprise Admin group
have complete control of the entire forest (all the domains in the forest)
where as the Domain Admins have access only to their specific domain.

The following table is an extract from TechNet

Group Description Default user

rights
 Members of this Access this
group have full computer from the
control of the network; Adjust
domain. By memory quotas for
default, this a process; Back up
group is a files and
member of the directories; Bypass
Administrators traverse checking;
Domain group on all Change the system
Admins domain time; Create a
controllers, all pagefile; Debug
domain programs; Enable
workstations, computer and user
and all domain accounts to be
member servers trusted for
at the time they delegation; Force a
are joined to the shutdown from a
domain. By remote system;
default, the Increase scheduling
Administrator priority; Load and
account is a unload device
member of this drivers; Allow log
group. Because on locally; Manage
the group has auditing and
full control in security log; Modify
the domain, add firmware
users with environment
caution. values; Profile
single process;
Profile system
performance;
Remove computer
from docking
station; Restore
files and
directories; Shut
down the system;
Take ownership of
files or other
objects.

Members of this Access this

group have full computer from the
control of all network; Adjust
domains in the memory quotas for
 forest. By a process; Back up
Enterpri default, this files and
se group is a directories; Bypass
Admins member of the traverse checking;
(only Administrators Change the system
appears group on all time; Create a
in the domain pagefile; Debug
forest controllers in the programs; Enable
root forest. By computer and user
domain) default, the accounts to be
Administrator trusted for
account is a delegation; Force
member of this shutdown from a
group. Because remote system;
this group has Increase scheduling
full control of priority; Load and
the forest, add unload device
users with drivers; Allow log
caution. on locally; Manage
auditing and
security log; Modify
firmware
environment
values; Profile
single process;
Profile system
performance;
Remove computer
from docking
station; Restore
files and
directories; Shut
down the system;
Take ownership of
files or other
objects.

Most of the IT guys misunderstands the roles of these user groups and
their user rights in a domain environment and a forest environment. Now
I hope you have a pretty clear picture on what members of these two
groups can do.
Enterprise Admins group is a group that appears only in the forest
root domain and members of this group have full administrative
control on all domains that are in your forest.

Domain Admins group is group that is present in each domain.

Members of this group have a full administrative control on the
domain.

As a System Administrator of a domain, there will obviously be times where you will need to
create new security groups for your environment. When creating a new security group, the group
scope can sometimes be confusing. Do I pick Domain Local, Global, or Universal? Below I
quickly break down what each type can contain and the usage for each security group type.

Domain Local

This type of group can contain:

User accounts from any domain in the forest or in a trusted forest

 Global or Universal security groups from any domain in the forest or trusted forest

Other Domain Local security groups from the same domain

This type of groups usage:

Used for resources in the local domain

Global

This type of group can contain:

User accounts in the same domain

Other Global security groups from the same domain

This type of groups usage:

Used for any domain in the forest or trusted forests

Universal

This type of group can contain:

User accounts, Global groups, or Universal Groups from any domain in the forest

This type of groups usage:

Any domain in forest or trusted forest