Windows

Manage network logon credentials in Microsoft Windows

Greg Shultz introduces you to the Windows 7's Credential Manager, explains how it works, and compares it to Stored User Names and Passwords.

As you may know, Microsoft Windows 7 provides a new and improved version of a tool that also appeared in Windows Vista and Windows XP and is designed for managing network-based logon credentials (i.e. user names and passwords) from sources that adhere to Microsoft credential management standards. The Windows 7 tool is called Credential Manager and is more advanced than the simplistic tool called Stored User Names and Passwords that came with Windows Vista and Windows XP.

With credentials stored in these tools, you will be able to automatically log on to a server/site without first being prompted to provide a user name and password. For example, Windows 7's Credential Manager can store credentials and automatically log you in to Windows Live services such as Hotmail and SkyDrive, Microsoft Office services such as Outlook Web Access for Exchange Server as well as Windows servers and Remote Desktop connections.

In this Windows Desktop Report blog post, I'll introduce you to the Windows 7's Credential Manager and explain how it works. I'll also briefly examine the Stored User Names and Passwords tools in Windows Vista and Windows XP for comparison purposes.

This blog post is also available in PDF format in a free TechRepublic download.

Access the Credential Manager

You can quickly access the Credential Manager in Windows 7 by clicking the Start button and typing Credential in the Start Search dialog box. As soon as you do, you'll see Credential Manager appear in the results panel, as shown in Figure A.

Figure A

You'll see Credential Manager appear in the results panel.
Alternatively, you can find the Credential Manager in the User Accounts and Family Safety section of the Control Panel, as shown in Figure B.

Figure B

Credential Manager can be found in the User Accounts and Family Safety section of the Control Panel.
Either way, when you launch the Credential Manager, you'll see its window, as shown in Figure C.

Figure C

Credential Manager is very user-friendly.

Windows Vault

As you can see by the icon near the top of the window, the default storage location for the credentials is called Windows Vault. This is just a generic name for the hidden Credentials folder on your hard drive. If you are connected to a domain, this folder is in the path C:\Users\UserName\AppData\Roaming\Microsoft. If you are using peer-to-peer network, the folder is in the path C:\Users\UserName\AppData\Local\Microsoft. As you might imagine, the files in the Vault/Credentials folder are encrypted.

Backup and Restore the Windows Vault

Beneath the Windows Vault icon, you'll see links to the Back Up Vault and Restore Vault operations. In addition to having a backup in case of accidental deletion or corruptions, this feature makes it easy to transfer a user's credentials from one system to another.

When you click Back Up Vault Link, you'll encounter a wizard that walks you through a process, as shown in Figure D, that includes accessing the Secure Desktop via CTRL+ALT+DELETE where you are prompted to password-protect your credential backup file.

Figure D

During the backup process, you'll enter the Secure Desktop and add a password to the credential backup file.
During the Restore process, shown in Figure E, you need to access the Secure Desktop to enter the password before you can restore the credential backup file.

Figure E

Before you can restore the credential backup file, you'll need to access the Secure Desktop to enter the password.

(Keep in mind that even if you have disabled the Secure Desktop, you'll still encounter the Secure Desktop while backing up and restoring the credential backup file.)

Credential types

The Credential Manager separates the types of credentials that it stores into three categories: Windows Credentials, Certificate-Based Credentials, and Generic Credentials.

  • Windows Credentials are user names and passwords used to log on to Windows-based network shares, Web sites that use Windows Integrated Authentication, and Remote Desktop/Terminal Server Connections.
  • Certificate-Based Credentials are for smart cards and other similar devices.
  • Generic Credentials are for third-party applications that manage authorization separate from the credentials of the currently logged-on user. (Almost any credentials that adhere to the Microsoft standard can be stored in the Generic Credentials category.)

Keep in mind that Credential Manager is not used to store all types of credentials used for connecting to Web sites. For example, most Web site credentials in Internet Explorer are handled by the AutoComplete feature.

Adding/Editing credentials

In many cases, credentials are automatically added to Credential Manager. For example, when you set up a Remote Desktop Connection and select the Allow Me to Save Credentials check box, as shown in Figure F, the user name and password will be saved in the Windows Vault.

Figure F

When you select the Allow Me to Save Credentials check box in Remote Desktop Connection, credentials are automatically added to Credential Manager.
You can add credentials manually by clicking the Add Link in any of the categories and filling in the required fields in the dialog box. For example, if you click Add a Windows Credential to set up a Remote Desktop Connection, you'll fill in the Add a Windows Credential window, as shown in Figure G. As you can see, I opted to enter the computer name in the first text box, but I could have just as easily used the computer's IP address instead.

Figure G

You can manually add credentials by clicking Add Link in any of the categories and filling in the required fields in the dialog box.
Once you have credentials set up, you can view them by clicking the adjacent arrow button, as shown in Figure H. Once you reveal the credential, you can edit the entry by clicking the Edit link or delete the entry by clicking the Remove from Vault link.

Figure H

Once you have credentials set up, you can view them by clicking the adjacent arrow button.

Credentials for developers

If you are a developer, you can learn how to take advantage of the Credentials Management application programming interface (API) in Windows 7 by investigating the Credentials Management resource on the MSDN site.

Stored User Names and Passwords

The Stored User Names and Passwords tool in Windows Vista and Windows XP works similarly to the Windows 7 version. Credentials can be added automatically or manually, and once in place they will allow you to automatically log on to a server/site without first being prompted to provide a user name and password.

The Stored User Names and Passwords tool can be launched by pressing [Windows]+R to access the Run dialog box and then typing control userpasswords2 in the Open text box. In Vista, you will need to work through a UAC before you get to the User Accounts dialog box. In XP, you'll immediately see the User Accounts dialog box. In the User Accounts dialog box, you'll select the Advanced tab. From the Advanced tab, you'll click the Manage Passwords button.

As you can see in Figure I, the Windows Vista version allows you to back up and restore the credentials as well as add, remove, and edit credentials.

Figure I

The Windows Vista version also allows you to back up and restore the credentials.
The Windows XP version of the Stored User Names and Passwords tool, shown in Figure J, allows you to add, remove, and edit (via Properties) credentials.

Figure J

The Windows XP version of the Stored User Names and Passwords tool doesn't have backup or restore capabilities.

What's your take?

Have you investigated the Credential Manager in Windows 7? Have you used the Stored User Names and Passwords tool in Vista or XP? What has been your experience with these tools? Do you find them advantageous? As always, if you have comments or information to share about this topic, please take a moment to drop by the TechRepublic Community Forums and let us hear from you.

Stay on top of the latest Microsoft Windows tips and tricks with TechRepublic's Windows Desktop newsletter, delivered every Monday and Thursday. Automatically sign up today!

About

Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.

6 comments
oldbaritone
oldbaritone

MS has not had a good track record with "all-in-one" sign-on methods - Google "Microsoft Passport Security" and see everything that comes back. Credential Manager sounds like a nice concept, but I'm going to wait a while before committing to it.

Mark W. Kaelin
Mark W. Kaelin

Have you investigated the Credential Manager in Windows 7? Have you used the Stored User Names and Passwords tool in Vista or XP? What has been your experience with these tools? Do you find them advantageous?

concernedITpro
concernedITpro

I have tried unsucessfully to get this to work. I RDP into several different machines, access many different Windows Servers and domains, and have yet noticed any difference when using or not using the credential manager. Either i am doing something wrong, or it just doesn't work. My OS is Win7 x64.

Greg Shultz
Greg Shultz

...that even with credentials stored in Credential Manager, you are still being prompted to provide a user name and password? In other words, you are not automatically logged on to a server/site?

Greg Shultz
Greg Shultz

...there is some sort of incompatibility between the way that Windows 7 and Windows 2000 Server treat credentials. Chances are that W2K doesn't even recognize the vault storage system Windows XP and Windows 2000 Server are more closely releated, as far as technology goes, so that is probably why Windows XP workstation work perfectly. Anyone else have ideas on this subject?

hweierud
hweierud

Hi! I have a problem!, all my windows7 workstations deletes stored credentials on logon / logoff. Ie, I log on the computer, open "control keymgr.dll", add a few windows credentials. Throughout that session, my applications will autologin, all good! Then If the user log off, then on again, all the credentials will be deleted, and therefor need to be entered again. Is there a domain policy setting or something that will delete the vault, that I can disable to make the vault retain passwords as intended? (windows 200 server (domain controller) - windows 7 workstations).. (on my windows XP workstations, this works perfectly!) thanks in advance, Hans-Eirik