Greg Zejer
Sep 11, 20201 min
If you armanage-your-blog-from-your-live-sitee like me, I’m not a big fan of credential manager. User accounts always get locked out because of this feature, especially when they change their password. If I can disable Credential Manager, I do via GPO.
If disabling credential manager does not work for the client, managing it becomes cumbersome.
There is a CLI users can use in order to manage it:
rundll32.exe keymgr.dll,KRShowKeyMgr
This command doesn’t capture everything though. There is another option, POWERSHELL to the rescue! Well, sort of a hybrid solution.
You can use cmdkey to get a list of all saved password, both for the user and machine:
Once you have the list, you can use it with a ForEach-Object powershell combination in order to delete them all:
cmdkey /list | ForEach-Object{if($_ -like “*Target:*”){cmdkey /delete:($_ -replace ” “,”” -replace “Target:”,””)}}
Adding this command to the user login script GPO works wonders. Does it upset people that they have to type their password all the time, sure, but it’s a more secure solution so this doesn’t happen to you:
https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation