Have you tried LOphtCrack? Cain is good ( called the poor mans LOphtCrack) but LOphtCrack is stronger for digging in.  It is still my favorite.

what are the command line switches you are using with fgdump?

Well, Kev, the reason I brought this up was so other people could tell me some of those tools that are better than fgdump to get at cached passwords.  I looked around on google and most of the tutorials on gathering the password caches use a tool called cachedump which is no longer in the public domain. 

Now I've found that cachedump does come with fgdump, and if I use that program directly I can get the hashes that I want.  Then I reformatted the cache file info a format that can be used by Cain and tried running a dictionary attack against the file.  We'll see how well that works for me.
Kevin

Thanks, Kev.  You don't have to think very hard to figure that the key to dictionary attacks is having a great word list.  I found a website that has a pretty good pile of word lists that people might want to check out.  http://www.theargon.com/achilles/wordlists/.

So far I have managed to break 5 of 17 passwords with the dictionary attack, which I would consider to be pretty good results.  After all, a person only needs one to cause some damage.

The point of this whole exercise is to come up with some tips for making the lab computers at our university less susceptible to this kind of thing.  I have a few suggestions that I will run by my managers:
   1. We need to alter the registry so that we don't cache credentials
   2. We need to make sure that the workstations aren't storing LANMAN hashes of local accounts
   3. Maybe we should alter group policy so that users cannot run executables from a usb drive.