Re: Re: cached logons

From: cmgrider (UseLinkToEmail_at_WindowsForumz.com)
Date: 07/23/05


Date: 22 Jul 2005 19:37:19 -0400


"" wrote:
> Thanks for the reply. The described behavior is what I
> understood to be the
> case. But I have an on-the-road user reporting that her cached
> logon is not
> allowing access to a laptop (and I have had other users in the
> past report an
> inability to log on locally to laptops that they have logged
> onto fairly
> recently). The user currently unable to logon to a laptop,
> logged onto the
> laptop in question 1-2 weeks ago and ten unique users
> definitely haven't
> logged onto the machine in the interim.
> Any knows causes of cached logons not allowing access?
>
> "Torgeir Bakken (MVP)" wrote:
>
> > pdx wrote:
> >
> > > When tracking the the 10 cached logons, does XP count
> logons by the same user
> > > against the 10? I ask because a remote user who checked
> out one of our loaner
> > > laptops reports - from the road - that she can't logon
> with her credentials.
> > > She used this same laptop recently and 10 unique users
> definitely haven't
> > > logged onto the machine in the interim. A different user,
> who had the laptop
> > > in the interim, did log on at least ten times.
> > Hi,
> >
> > The CachedLogonsCount is a number indicating for how many
> users
> > the computer should remember cached credentials for, and not
> > how many times a user can log on with cached credentials in
> a row
> > (because that is unlimited and cannot be changed)...
> >
> > Windows will remember the 10 most *recent* logon attempts
> (for
> > different users), this way it is the oldest logon cache
> entries that
> > will be purged when the allowed number is surpassed.
> >
> >
> > More here:
> >
> > Microsoft Windows 2000 Security Hardening Guide
> > Chapter 5 - Security Configuration
> > http://www.microsoft.com/technet/security/prodtech/win2000/win2khg/05sconfg.mspx
> >
> > <quote>
> > Disable Caching of Logon Information
> >
> > Security Objective: Windows 2000 has the capability to cache
> logon
> > information. If the Domain Controller cannot be found during
> logon
> > and the user has logged on to the system in the past, it can
> use
> > those credentials to log on. This is extremely useful, for
> example,
> > on portable computers, which need to be used when the user
> is away
> > from the network. The CachedLogonsCount Registry valued
> determines
> > how many user account entries Windows 2000 saves in the
> logon cache
> > on the local computer. The logon cache is a secured area of
> the
> > computer and the credentials are protected using the
> strongest form
> > of encryption available on the system. If the value of this
> entry
> > is 0, Windows 2000 does not save any user account data in
> the logon
> > cache. In that case, if the user's Domain Controller is not
> > available and a user tries to log on to a computer that does
> not
> > have the user's account information, Windows 2000 displays
> the
> > following message:
> >
> > The system cannot log you on now because the domain
> <Domain-name>
> > is not available.
> >
> > If the Administrator disables a user's domain account, the
> user
> > could still use the cache to log on by disconnecting the net
> cable.
> > To prevent this, Administrators may disable the caching of
> logon
> > information. The default setting allows caching of 10 sets
> of
> > credentials.
> >
> > Recommendation: Set this to at least 2 to ensure that the
> system
> > is usable while the domain controllers are down or
> unavailable.
> > </quote>
> >
> >
> > --
> > torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> > Administration scripting examples and an ONLINE version of
> > the 1328 page Scripting Guide:
> > http://www.microsoft.com/technet/scriptcenter/default.mspx
> >

Did you ever find a resolution? I have been having similar issues
with Windows 2000 SP4 remote PC’a and Laptops for about 2 months.
My open case with microsoft has resulted in nothing so far.

-- 
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Security-Admin-cached-logons-ftopict393705.html
Visit Topic URL to contact author (reg. req'd).  Report abuse: http://www.windowsforumz.com/eform.php?p=1316738


Relevant Pages

  • Re: Secure workgroups!
    ... You have mobile laptops involved here, most cracks tend to come from inside ... allow access once they join the Wireless network. ... Have you installed a modern VPN client lately? ... VPN/AD logon from bootup, even with dial-up. ...
    (microsoft.public.security)
  • Re: Require Password Change for Users With Laptops Not Joined to D
    ... own the laptops, we don't have them join the domain. ... The users will have to logon to a computer that is connected to the domain ... they will get a popup message requiring them to change ...
    (microsoft.public.windows.server.general)
  • Laptops stoped caching domain logon credentials....
    ... We have two laptops that the users were able to logon to while they were ... not connected to the domain by using thier cached domain credentials. ... these two users were unable to do so and had to logon to the laptop ... using a local account we creadted for them. ...
    (microsoft.public.win2000.general)
  • Re: Locking down a Local User in XP Pro Sp 1
    ... needed to logon with the cached credentials. ... You could also test this by physically disconnecting a PC from the network ... I've been able to use this with laptops in the past. ... > It is fine when they are connected to the Network as the Domain Policy is ...
    (microsoft.public.windows.group_policy)
  • Re: Connecting Client Computers to a Domain
    ... When away from the office the logon process uses 'cached credentials'. ... is limited in the number of logons that may occur before again connecting to ... the network but most people connect to the network frequently enough to not ... I have laptops which spend significant amounts of time out of the ...
    (microsoft.public.windows.server.sbs)