Re: Cached Logon Count problem

From: Cameron Epp (camepp_at_gmail.com)
Date: 10/28/04

• Next message: Rodrigo Nóbrega: "Re: Encrypted Script"
• Previous message: David: "Rebuilding a server"
• In reply to: Steven L Umbach: "Re: Cached Logon Count problem"
• Next in thread: Steven L Umbach: "Re: Cached Logon Count problem"
• Reply: Steven L Umbach: "Re: Cached Logon Count problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 28 Oct 2004 11:51:00 -0700

Hi Steve, thanks for the note.

I tried your suggestion already - but all that the GPO setting does is
change the value of the registry key I mentioned before.

I think I found the reason for this behaviour though... Once I set the
value (of cachedlogonscount) to 0, it wipes out the cache information
in HKLM\security\cache. This prevents people from logging on with
cached credentials. However, when I reset the value of
cachedlogonscount, it does not restore the previous values into
HKLM\security\cached - all it does is allow new values to be placed in
there. So in my scenario the user has to log on twice - once to change
the value of cachedlogonscount, then a second time (after reboot) to
re-cache their credentials.

For the project I am working on, I got around this by editing the
values in HKLM\security\cache directly. To prevent them from continuing
to use cached credentials, I delete all the values under that key
(effectively wiping out the credential information). The next time they
log on successfully (which now means they have to authenticate with the
domain because they have no cached credentails), the credentials can be
recached without a problem, since I never changed the cachedlogonscount
in the first place.

So - this has allowed me to design a service that can track how long
users have been 'off' the domain, and if they have been away too long,
the service can force them to reauthenticate by preventing them from
using the cached credentials.

// Cam

• Next message: Rodrigo Nóbrega: "Re: Encrypted Script"
• Previous message: David: "Rebuilding a server"
• In reply to: Steven L Umbach: "Re: Cached Logon Count problem"
• Next in thread: Steven L Umbach: "Re: Cached Logon Count problem"
• Reply: Steven L Umbach: "Re: Cached Logon Count problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Cached Logon Count problem ... > Hi Steve, thanks for the note. ... > change the value of the registry key I mentioned before. ... then a second time to ... > to use cached credentials, I delete all the values under that key ... (microsoft.public.win2000.security) Re: Flushing Cache Credentials ... I did know of that registry key however I did not want to ... delete everyone's cached credentials which in turn is ... >If you want to enable logon with cached credentials ... >Microsoft MVP Scripting and WMI, ... (microsoft.public.windowsxp.security_admin) Re: System cannot log on - domain not available ... cached credentials in the event a DC is not available. ... >actually have this registry key at all. ... Is it worth adding it? ... >> Can you think of any other things I could try to resolve this problem? ... (microsoft.public.windows.server.networking)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint