Re: Does the ability to use cached logon expire?
From: Torgeir Bakken \(MVP\) (Torgeir.Bakken-spam_at_hydro.com)
Date: 02/03/05
- Next message: workinghard_at_news.postalias: "Re: Does the ability to use cached logon expire?"
- Previous message: Torgeir Bakken \(MVP\): "Re: firewall wont turn on"
- In reply to: Admiral Q: "Re: Does the ability to use cached logon expire?"
- Next in thread: Admiral Q: "Re: Does the ability to use cached logon expire?"
- Reply: Admiral Q: "Re: Does the ability to use cached logon expire?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 03 Feb 2005 11:10:04 +0100
Admiral Q wrote:
> Yes, once they've logged on 10 times with the "cached"
> credentials, they need to log on to the Domain to reset it.
Hi
That is incorrect.
Note that the CachedLogonsCount is a number indicating for how many
users the computer should remember cached credentials for, and not
how many times a user can log on with cached credentials in a row
(because that is unlimited and cannot be changed)...
More here:
Microsoft Windows 2000 Security Hardening Guide
Chapter 5 - Security Configuration
http://www.microsoft.com/technet/security/prodtech/win2000/win2khg/05sconfg.mspx
<quote>
Disable Caching of Logon Information
Security Objective: Windows 2000 has the capability to cache logon
information. If the Domain Controller cannot be found during logon
and the user has logged on to the system in the past, it can use
those credentials to log on. This is extremely useful, for example,
on portable computers, which need to be used when the user is away
from the network. The CachedLogonsCount Registry valued determines
how many user account entries Windows 2000 saves in the logon cache
on the local computer. The logon cache is a secured area of the
computer and the credentials are protected using the strongest form
of encryption available on the system. If the value of this entry
is 0, Windows 2000 does not save any user account data in the logon
cache. In that case, if the user's Domain Controller is not
available and a user tries to log on to a computer that does not
have the user's account information, Windows 2000 displays the
following message:
The system cannot log you on now because the domain <Domain-name>
is not available.
If the Administrator disables a user's domain account, the user
could still use the cache to log on by disconnecting the net cable.
To prevent this, Administrators may disable the caching of logon
information. The default setting allows caching of 10 sets of
credentials.
Recommendation: Set this to at least 2 to ensure that the system
is usable while the domain controllers are down or unavailable.
</quote>
-- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: http://www.microsoft.com/technet/scriptcenter/default.mspx
- Next message: workinghard_at_news.postalias: "Re: Does the ability to use cached logon expire?"
- Previous message: Torgeir Bakken \(MVP\): "Re: firewall wont turn on"
- In reply to: Admiral Q: "Re: Does the ability to use cached logon expire?"
- Next in thread: Admiral Q: "Re: Does the ability to use cached logon expire?"
- Reply: Admiral Q: "Re: Does the ability to use cached logon expire?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
