Set Password Cache

Use the Set password cache group policy to control the handling of user passwords. By default, the Centrify Agent stores a UNIX-style MD5 hash of each user’s password in the cache when the user is authenticated during login. Storing the password hash allows previously authenticated users to log on when the computer is disconnected from the network or Active Directory is unavailable.

If you select Enabled for this group policy, you can set the following options:

  • Allow Password storage Allow specified users to have their password hash stored in the cache. If you set this option and specify a list of users, only those users can log on when the computer is disconnected from the network or Active Directory is unavailable. To list the specific users allowed to have their password hash stored, type the user names separated by commas or spaces, or click List, then Add to browse and select Active Directory users to add.

    This option modifies the adclient.hash.allow parameter in the agent configuration file. By default, all users have their password hash stored.

  • Deny Password storage Prevent specified users from having their password hash stored. If you set this option and specify a list of users, only those users are prevented from logging on when the computer is disconnected from the network or Active Directory is unavailable. To list the specific users who should not have their password hash stored, type the user names separated by commas or spaces, or click List, then Add to browse and select Active Directory users to add. This setting overrides “Allow Password storage”.

    This option modifies the adclient.hash.deny parameter in the centrifydc.conf agent configuration file. By default, all users have their password hash stored.

  • Cache life Specify the number of days a password hash for any user can be stored in the cache before it expires. A value of zero (0) specifies that the password hash should never expire. When you enable this policy, a value of 7 (days) appears in the field. You can accept this value or enter a different value up to 9999.

    This option setting modifies the adclient.hash.expires parameter in the centrifydc.conf agent configuration file. The default setting for this parameter is 0, which means that by default, the cache does not expire.

For more information about the configuration file and these configuration settings, see adclient.hash.allow, adclient.hash.deny, and adclient.hash.expires in the Configuration and Tuning Reference Guide.