Re: Does the ability to use cached logon expire?
From: Admiral Q (Star_Fleet_Admiral_Q(NOSPAM)_at_(SPAMNOT)hotmail.com)
Date: 02/04/05
- Next message: That Bloke: "launch"
- Previous message: Jupiter Jones [MVP]: "Re: windows update error messages"
- In reply to: Torgeir Bakken \(MVP\): "Re: Does the ability to use cached logon expire?"
- Next in thread: Rebecca Chen [MSFT]: "RE: Does the ability to use cached logon expire?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 3 Feb 2005 20:11:31 -0500
I be danged - I stand corrected - thanks.
-- Star Fleet Admiral Q @ your service! "Google is your Friend!" www.google.com *********************************************** "Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message news:#DcwyjdCFHA.2232@TK2MSFTNGP14.phx.gbl... > Admiral Q wrote: > > > Yes, once they've logged on 10 times with the "cached" > > credentials, they need to log on to the Domain to reset it. > Hi > > That is incorrect. > > Note that the CachedLogonsCount is a number indicating for how many > users the computer should remember cached credentials for, and not > how many times a user can log on with cached credentials in a row > (because that is unlimited and cannot be changed)... > > > More here: > > Microsoft Windows 2000 Security Hardening Guide > Chapter 5 - Security Configuration > http://www.microsoft.com/technet/security/prodtech/win2000/win2khg/05sconfg.mspx > > <quote> > Disable Caching of Logon Information > > Security Objective: Windows 2000 has the capability to cache logon > information. If the Domain Controller cannot be found during logon > and the user has logged on to the system in the past, it can use > those credentials to log on. This is extremely useful, for example, > on portable computers, which need to be used when the user is away > from the network. The CachedLogonsCount Registry valued determines > how many user account entries Windows 2000 saves in the logon cache > on the local computer. The logon cache is a secured area of the > computer and the credentials are protected using the strongest form > of encryption available on the system. If the value of this entry > is 0, Windows 2000 does not save any user account data in the logon > cache. In that case, if the user's Domain Controller is not > available and a user tries to log on to a computer that does not > have the user's account information, Windows 2000 displays the > following message: > > The system cannot log you on now because the domain <Domain-name> > is not available. > > If the Administrator disables a user's domain account, the user > could still use the cache to log on by disconnecting the net cable. > To prevent this, Administrators may disable the caching of logon > information. The default setting allows caching of 10 sets of > credentials. > > Recommendation: Set this to at least 2 to ensure that the system > is usable while the domain controllers are down or unavailable. > </quote> > > > > -- > torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway > Administration scripting examples and an ONLINE version of > the 1328 page Scripting Guide: > http://www.microsoft.com/technet/scriptcenter/default.mspx
- Next message: That Bloke: "launch"
- Previous message: Jupiter Jones [MVP]: "Re: windows update error messages"
- In reply to: Torgeir Bakken \(MVP\): "Re: Does the ability to use cached logon expire?"
- Next in thread: Rebecca Chen [MSFT]: "RE: Does the ability to use cached logon expire?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
