I am trying to construct a application that will allow a user to reset his domain password and get access to their box while it is off domain and off the corp network. E.G. User is a domain user, is traveling off network and forgets his password. He can of course login using his domain creds because they are cached locally in the HKEY_LOCAL_MACHINE\SECURITY\Cache. Unless of course he has forgotten his password. I have already created a login shell addition that will take the user through web 2.0 style security questions etc. to verify their identity. However the last step, actually updating the local security cache with the new password such that the user can continue to login until they resync with the domain controller eludes me. I have looked through all the API's CredWriteDomainCredentials, CredWrite etc. etc. but there does not seem to be an official way to do this. Does anyone have any idea how to write a new hash to the local store essentially simulating a valid domain logon and cache write event?