Re: Cached Logon Count problem

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 10/29/04

  • Next message: Steven L Umbach: "Re: Logging in interactively" 
    Date: Fri, 29 Oct 2004 03:49:35 GMT

    Glad to hear you got it worked out and thanks for letting me know how you
    did it! --- Steve

    "Cameron Epp" <camepp@gmail.com> wrote in message
    news:1098989460.147857.50970@z14g2000cwz.googlegroups.com...
    > Hi Steve, thanks for the note.
    >
    > I tried your suggestion already - but all that the GPO setting does is
    > change the value of the registry key I mentioned before.
    >
    > I think I found the reason for this behaviour though... Once I set the
    > value (of cachedlogonscount) to 0, it wipes out the cache information
    > in HKLM\security\cache. This prevents people from logging on with
    > cached credentials. However, when I reset the value of
    > cachedlogonscount, it does not restore the previous values into
    > HKLM\security\cached - all it does is allow new values to be placed in
    > there. So in my scenario the user has to log on twice - once to change
    > the value of cachedlogonscount, then a second time (after reboot) to
    > re-cache their credentials.
    >
    > For the project I am working on, I got around this by editing the
    > values in HKLM\security\cache directly. To prevent them from continuing
    > to use cached credentials, I delete all the values under that key
    > (effectively wiping out the credential information). The next time they
    > log on successfully (which now means they have to authenticate with the
    > domain because they have no cached credentails), the credentials can be
    > recached without a problem, since I never changed the cachedlogonscount
    > in the first place.
    >
    > So - this has allowed me to design a service that can track how long
    > users have been 'off' the domain, and if they have been away too long,
    > the service can force them to reauthenticate by preventing them from
    > using the cached credentials.
    >
    > // Cam
    >

  • Next message: Steven L Umbach: "Re: Logging in interactively"

    Relevant Pages

    • Re: Cached Logon Count problem
      ... change the value of the registry key I mentioned before. ... it wipes out the cache information ... then a second time to ... to use cached credentials, I delete all the values under that key ...
      (microsoft.public.win2000.security)
    • Re: Flushing Cache Credentials
      ... I did know of that registry key however I did not want to ... delete everyone's cached credentials which in turn is ... >If you want to enable logon with cached credentials ... >Microsoft MVP Scripting and WMI, ...
      (microsoft.public.windowsxp.security_admin)
    • Re: System cannot log on - domain not available
      ... cached credentials in the event a DC is not available. ... >actually have this registry key at all. ... Is it worth adding it? ... >> Can you think of any other things I could try to resolve this problem? ...
      (microsoft.public.windows.server.networking)