Key Points
- Distinguish between stored credentials for network resources and cached logon verifiers used for offline computer sign-in, as they require different management methods.
- Automate the cleanup of stored credentials using PowerShell scripts with cmdkey and control cached logons via Group Policy registry settings.
- Prevent credential caching by enforcing the Group Policy that sets the number of cached logons to zero and enabling Credential Guard.
- Integrate credential cleanup into standard IT lifecycle events like employee offboarding and device refresh cycles.
- Maintain detailed logs of all cleanup actions and policy states to generate audit-ready compliance reports.
Storing login details on laptops can become a serious liability, especially when devices are lost or employees leave. Simply knowing how to delete cached credentials isn’t enough; you need a scalable strategy.
In this guide, you will learn a complete process to locate, cleanse, and prevent cached credentials across your entire environment, complete with automation and audit-proof documentation.
Step-by-step process for clearing cached Windows credentials
Clearing cached credentials is essential for maintaining security and resolving access issues.
📌Use case: You should clear cached Windows credentials after a security incident, when redeploying a device, or when an employee leaves the company. It’s also a common troubleshooting step for network resource access problems.
📌Prerequisites: A successful process requires preparation. Ensure you have the following:
- An inventory of your endpoints (including OS versions like Windows 11) and local admin account details.
- Ensure your automation tools (PowerShell, Intune, RMM) are ready for remote execution.
- Verify that baseline security policies, such as Credential Guard, are active to strengthen your posture before you begin.
Once you have these requirements, follow the steps below.
Step 1: Find the cached credentials and scope risk
First, locate all stored logins to understand your security exposure. You also need to distinguish between stored credentials for resources and cached logon credentials for offline sign-in.
How to find stored credentials
For saved passwords that access specific resources like network shares, use these methods:
- Graphical view:Open Windows Credential Manager, searching it from the Start Menu.
- Command line: Run
cmdkey /listin Command Prompt (Admin). - Browser stores: Check saved passwords in settings for Chrome, Firefox, etc.
Understanding cached logon credentials
Cached logon credentials are hashed verifiers made during domain sign-in for offline access, and are not managed like stored passwords.
- Purpose:Allow login to a domain-joined PC when it can’t contact the server.
- Control: Managed solely by the Number of previous logons to cache Group Policy.
- Storage: Securely kept in the system registry, not in Credential Manager.
Scoping the risk
List all discovered credentials and note their associated devices. The primary risks are:
- Stored credentials: Can be extracted and used for lateral movement within your network.
- Cached logon verifiers: Allow offline access to a device with an old password, bypassing recent password changes.
This inventory provides the essential evidence needed to plan your targeted cleanup.
Step 2: Automate cleanup across endpoints
Deploy scripts to efficiently clear credentials from multiple computers. Automation differs for stored credentials (for resources) and cached logon credentials (for offline sign-in).
Automating stored credential cleanup
- Build your deployment script:
- Use a PowerShell script or your RMM tool to run the cleanup. Here is a basic PowerShell script that uses the cmdkey command to list and delete credentials:
- List all stored credentials:
cmdkey /list
- Delete a specific credential by target name:
cmdkey /delete "TARGET_NAME"Write-Output "Deleted credential for TARGET_NAME"
- Schedule the execution: Run this via your RMM or Intune outside business hours. Ensure it executes with admin rights and logs its actions for audit proof.
- Verify and log: Configure your script to generate a simple log file confirming successful deletion on each device. This provides immediate proof for audits.
Automating cached logon creditor cleanup
Cached logon credentials cannot be cleaned up retroactively by a script. Instead, you must configure a Group Policy setting to prevent them from being created.
Follow this procedure to disable caching:
- Open the Group Policy Management Editor and navigate to:
- Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
- Find and double-click the policy: Interactive logon: Number of previous logons to cache (in case domain controller is not available).
- Set the value to 0 and click OK.
⚠️Important Notes:
- A system restart is required for this change to take effect on existing devices.
- This setting only prevents new credentials from being cached; it does not delete existing ones.
- For consistent, network-wide enforcement, deploy this policy via Active Directory Group Policy or an MDM like Microsoft Intune.
Once completed, stored credentials for resources are removed, prompting users to re-authenticate. The registry change prevents the local caching of domain passwords for future offline logins, addressing both key risks.
Step 3: Harden policies to prevent recurrence
To provide lasting security, configure policies that prevent credentials from being cached.
Implement core security controls
Use Group Policy or MDM tools like Intune to deploy two key settings. First, set “Interactive logon: Number of previous logons to cache(in case domain controller is not available)” to 0 to disable cached domain sign-in information for offline logon. Second, enable Credential Guard on Windows devices to protect hashes using hardware-based isolation.
Restrict account access
Configure policies to deny local sign-in rights for service accounts and high-privilege groups. Ensure these accounts are restricted to non-interactive logins only, preventing their credentials from being cached during interactive sessions.
Once applied, these policies will prevent domain credentials from being stored locally, eliminating the cached credentials attack vector and providing continuous protection.
Step 4: Integrate cleanup into lifecycle events
Build credential maintenance into your standard IT procedures for ongoing security. Integrate specific automated actions for both stored credentials and cached logon credentials at key moments.
For stored credentials (Resource logins)
Automate the removal of saved network passwords during critical events.
- Use in offboarding scripts: Incorporate a cmdkey cleanup script to remove the departing employee’s stored credentials from their device.
- Add to checklists: Include Run stored credential cleanup script in your offboarding and device refresh checklists.
For cached logon credentials (Offline sign-in)
These are managed by policy, not scripts. Integrate policy enforcement into your deployment lifecycle.
- Apply policy at provisioning: Ensure the Group Policy setting “Interactive logon: Number of previous logons to cache” is deployed to new devices.
- Verify policy in audits: Include a check for this policy state during quarterly security reviews.
Schedule regular maintenance
Configure your script for stored credentials to run monthly via your RMM to clear accumulated logins. For cached logon credentials, continuous enforcement via policy is the maintenance.
Step 5: Document evidence and remediation records
Maintain thorough documentation to prove compliance and track your security posture.
Create standardized logging
For every credential cleanup action, record these essential details in a central system:
- Device name and user/service account
- Specific credentials removed
- Date and timestamp of action
- Name of the technician who performed the cleanup
- Follow-up verification results
Generate monthly compliance reports
Compile regular summaries that include:
- Total number of credentials removed
- Devices showing policy non-compliance
- Remaining high-risk accounts requiring attention
- Trends in credential accumulation across your environment
This documentation creates an auditable trail that demonstrates proactive security management. When auditors review your processes, you’ll have clear evidence of consistent credential maintenance and compliance with your security policies.
Streamline credential management with NinjaOne
NinjaOne centralizes and automates credential security, managing stored credentials and enforcing policies for cached logons.
- Discover & clean stored credentials: Run scripts to find and remove saved logins from the Windows Credential Manager.
- Enforce & monitor policies: Deploy and verify critical Group Policy settings, like disabling credential caching, while monitoring defenses like Credential Guard.
- Centralized audit proof: Automatically collect logs and evidence for immediate compliance reporting.
This approach creates a scalable, automated system for continuous credential security and audit readiness.
Cut risk from stored logins at scale. Discover, clean, and document cached credentials with policy-driven automation.
→ Automate cached-credential cleanup with NinjaOne
Secure your environment by managing cached credentials
Manually deleting cached credentials is a reactive fix, but true security comes from a proactive system. By implementing automated cleanup, enforcing preventive policies, integrating with IT lifecycles, and maintaining detailed logs, you build a robust defense against credential-based attacks.
This end-to-end process transforms a common vulnerability into a documented, controlled security practice that satisfies both technical and compliance requirements.
Related topics:
