The disconnected-mode reset enables the GINA extension on the Windows logon screen to reset a user’s cached password, even when the machine is not connected to the domain.
Netwrix Password Manager is able to reset password in a local cache if both of the following is true:
- The Password manager Logon Prompt Extension is installed
- The user is enrolled through the local enrollment wizard, which is a part of the Logon Prompt Extension.
In this case, if the Password Manager server cannot be reached, the Password Manager client can reset password locally, in the cache, but this password will be applied only to the current machine and will become invalid as soon as this machine connects back to the domain.
To be sure that all users enroll through the enrollment wizard, enable force enrollment by creating the key PRM_SuppressLaterEnrollment with the value of 1 in HKLM\Software\Wow6432Node\Policies\NetWrix\Password Manager (Wow6432Node only for x64 OS).
If you want to prohibit the reset of password in the local cache create DWORD PRM_ResetCredentialsCache with the value of 0 in HKLM\Software\Wow6432Node\Policies\NetWrix\Password Manager (Wow6432Node only for x64 OS).
All the above keys can be applied to all machines via Group Policy, using the template provided with Netwrix Password Manager.
Refer to the paragraph 3.3 procedure 4 of Administrators guide for detailed information on applying the template: