Re: Re: cached logons

From: cmgrider (UseLinkToEmail_at_WindowsForumz.com)
Date: 07/23/05


Date: 22 Jul 2005 19:37:19 -0400


"" wrote:
> Thanks for the reply. The described behavior is what I
> understood to be the
> case. But I have an on-the-road user reporting that her cached
> logon is not
> allowing access to a laptop (and I have had other users in the
> past report an
> inability to log on locally to laptops that they have logged
> onto fairly
> recently). The user currently unable to logon to a laptop,
> logged onto the
> laptop in question 1-2 weeks ago and ten unique users
> definitely haven't
> logged onto the machine in the interim.
> Any knows causes of cached logons not allowing access?
>
> "Torgeir Bakken (MVP)" wrote:
>
> > pdx wrote:
> >
> > > When tracking the the 10 cached logons, does XP count
> logons by the same user
> > > against the 10? I ask because a remote user who checked
> out one of our loaner
> > > laptops reports - from the road - that she can't logon
> with her credentials.
> > > She used this same laptop recently and 10 unique users
> definitely haven't
> > > logged onto the machine in the interim. A different user,
> who had the laptop
> > > in the interim, did log on at least ten times.
> > Hi,
> >
> > The CachedLogonsCount is a number indicating for how many
> users
> > the computer should remember cached credentials for, and not
> > how many times a user can log on with cached credentials in
> a row
> > (because that is unlimited and cannot be changed)...
> >
> > Windows will remember the 10 most *recent* logon attempts
> (for
> > different users), this way it is the oldest logon cache
> entries that
> > will be purged when the allowed number is surpassed.
> >
> >
> > More here:
> >
> > Microsoft Windows 2000 Security Hardening Guide
> > Chapter 5 - Security Configuration
> > http://www.microsoft.com/technet/security/prodtech/win2000/win2khg/05sconfg.mspx
> >
> > <quote>
> > Disable Caching of Logon Information
> >
> > Security Objective: Windows 2000 has the capability to cache
> logon
> > information. If the Domain Controller cannot be found during
> logon
> > and the user has logged on to the system in the past, it can
> use
> > those credentials to log on. This is extremely useful, for
> example,
> > on portable computers, which need to be used when the user
> is away
> > from the network. The CachedLogonsCount Registry valued
> determines
> > how many user account entries Windows 2000 saves in the
> logon cache
> > on the local computer. The logon cache is a secured area of
> the
> > computer and the credentials are protected using the
> strongest form
> > of encryption available on the system. If the value of this
> entry
> > is 0, Windows 2000 does not save any user account data in
> the logon
> > cache. In that case, if the user's Domain Controller is not
> > available and a user tries to log on to a computer that does
> not
> > have the user's account information, Windows 2000 displays
> the
> > following message:
> >
> > The system cannot log you on now because the domain
> <Domain-name>
> > is not available.
> >
> > If the Administrator disables a user's domain account, the
> user
> > could still use the cache to log on by disconnecting the net
> cable.
> > To prevent this, Administrators may disable the caching of
> logon
> > information. The default setting allows caching of 10 sets
> of
> > credentials.
> >
> > Recommendation: Set this to at least 2 to ensure that the
> system
> > is usable while the domain controllers are down or
> unavailable.
> > </quote>
> >
> >
> > --
> > torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> > Administration scripting examples and an ONLINE version of
> > the 1328 page Scripting Guide:
> > http://www.microsoft.com/technet/scriptcenter/default.mspx
> >

Did you ever find a resolution? I have been having similar issues
with Windows 2000 SP4 remote PC’a and Laptops for about 2 months.
My open case with microsoft has resulted in nothing so far.

-- 
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Security-Admin-cached-logons-ftopict393705.html
Visit Topic URL to contact author (reg. req'd).  Report abuse: http://www.windowsforumz.com/eform.php?p=1316738