Scenario:

Your company has a web enabled Microsoft app (Outlook Web Access, SharePoint, etc…) that passes your Active Directory credentials internally so you don’t have to login twice (Once to get on the computer and again to access the app).

Then your company decides to publish this app outside of your facility allowing you to directly access it from home, but because you’re not on the company network when you’re at home you have to log into the app using your AD credentials.

You decide that logging in is “for the birds” and set Internet Explorer to save your AD username and password so you don’t have to enter it in.  Success!

This carries on for a while until your networks security policy is forcing you to change your password, which is ok with you.  You’ll just clear out your IE saved usernames and passwords and save it all back with your new password.

But wait there seems to be a problem, you’re clearing out IE but it’s not clearing out your AD credentials.  What do you do?

Solution:

For starters you should never save your AD credentials in IE.  IE handles your AD credentials and your generic website credentials completely differently.   When you go to generic website like Amazon or Google and tell it to save your username and password to those sites, it stores those credential in the registry.  Then when you tell IE to clear all of your saved passwords it clears out the registry.  Your AD credentials are not stored in the registry; they are stored in an encrypted NTLM hash file stored in your user folder.

Luckily Windows 7 introduced us to the “Credential Manager”, which is found in the Control Panel.  This allows us to remove AD and generic credentials that are stored on your computer with ease.  But for those that are still running Windows XP below are the steps to removing that cached AD account.

  1. Go to: C:\Documents and Settings\YOUR USERNAME\Application Data\Microsoft\Credentials\<SID>\Credentials
  2. Make a copy, then delete the original.
  3. Reboot the computer.

Update:

Since the introduction of Credentials Manager in Windows 7 and up, you can now manage your saved AD accounts.  Credentials Manager is located in the Control Panel.