It’s quite common need to run administrative tasks under different credentials than the logged on user. The tool allows to switch between integrated authentication and alternate credentials by clicking on a link on top right corner. This will open a small window to switch between modes. Since version 0.6 it’s possible to save multiple alternate credentials that are then used in order when authenticating on each remote computer – the first successful account will be used.


Items in the list of alternate credentials can only be added and removed. In order to change an item in list, it must be removed and then added from scratch.

If enabled, alternate credentials are used for WMI connections and for other tasks (such as file copy processes). Credentials are temporarily cached once per action on administrator’s machine so that they can be used for every connection to each remote computer. Windows Cached credentials are removed as soon as the action has been run on all computers in the list. The command-line utility CMDKEY.EXE is used to manage stored usernames and passwords. This utility is available by default on Windows Server 2003, Windows 7 and Windows Server 2008. To use alternate credentials on Windows XP, the cmdkey.exe must be placed in same folder as HTA.

Note, that storing the credentials might not be allowed if domain security policy has enabled the setting “Network access: Do not allow storage of credentials or .NET Passports for network authentication”. In that case SCCM CAT will prompt if you want to bypass the restriction temporarily (by overwriting local registry value “disabledomaincreds” in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.


When clicking “Yes”, a small REG file “%temp%\disableDomainCreds.reg” is dynamically created and run by REGEDIT to enable UAC elevation for the registry change. “DisableDomainCreds” value is changed to 0x0. When clicking “No”, alternate credentials can’t be used.

Last edited Feb 28, 2012 at 6:01 AM by pr3m, version 7


No comments yet.