Skip to main content
CRED_FETCH enumeration

Defines values that determine how to fetch the credential of a Group Managed Service Account (gMSA).


typedef enum _CRED_FETCH { 
  CredFetchDefault  = 0,
  CredFetchDPAPI    = 1,
  CredFetchForced   = 2



Signifies that the operating system should first attempt to retrieve the password from the local cache. If it is time to fetch the password, then the operating system should contact a domain controller for the password. If that fails, then return any cached passwords with the status value of success.


Returns the local DPAPI credential to the caller. Security support providers (SSPs) generally would not require the use of this enumeration.


Forces the operating system to attempt to read the password from the domain controller. During the password rollover time, the password may have changed at the domain controller and other member hosts, but the gMSA member host recognizes the password as still valid. This can happen due to clock skew issues between different domain controllers. When this value is specified, the operating system determines if there could be a possible password change due to clock skew, and if so, retrieves the password. Otherwise, the cached credential is returned. If there is no cached credential, then the operating system attempts to get one from the domain controller.


Minimum supported client

Windows 8 [desktop apps only]

Minimum supported server

Windows Server 2012 [desktop apps only]