Does the ability to use cached logon expire?

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hello,

Some of my laptop users claim that they can not use cached logons. I've
check the config in AD and in the registry on the latop, it defaults to 10.

Any tips?

Thx
8 answers Last reply
More about does ability cached logon expire
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Yes, once they've logged on 10 times with the "cached" credentials, they
    need to log on to the Domain to reset it.

    --
    Star Fleet Admiral Q @ your service!
    "Google is your Friend!"
    www.google.com

    ***********************************************

    <workinghard@news.postalias> wrote in message
    news:eMIjgWWCFHA.1260@TK2MSFTNGP12.phx.gbl...
    > Hello,
    >
    > Some of my laptop users claim that they can not use cached logons. I've
    > check the config in AD and in the registry on the latop, it defaults to
    10.
    >
    > Any tips?
    >
    > Thx
    >
    >
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Hello,

    Do you refer to the CachedLogonsCount in the registry key? You can change
    the number of previous logon attempts that a server will cache. By default,
    Windows NT will remember the 10 most recent logon attempts. The valid range
    of values for this parameter is 0 to 50. A value of 0 turns off logon
    caching and any value above 50 will only cache 50 logon attempts.

    In other word, if you set the key to 10, the server will allow 10 user
    account to rememeber the cache information, however, the 11th user account
    cannot use the cached mode to logon since it exceeds the max user account
    who are permitted to use cached logon.

    Therefore, you can increase key to 50 to allow 50 user accounts to use
    cached logon.

    For more details, please refer to the following article:

    Cached Logon Information
    http://support.microsoft.com/?id=172931

    As Admiral said " they've logged on 10 times with the "cached"
    credentials", I guess you may have refer to the help and support center,
    which explains the "Interactive Logon" as follows:

    "Determines the number of times a user can log on to a Windows domain using
    cached account information".

    I believe this has misleaded you to believe 10 refers to the 10 times after
    the user attempt to logon. I am sorry to say the Help and support center
    has incorrectly addressed this explanation. This has been been updated,
    however, we have a published KB article to correct this.

    The following is the correct version of the first sentence of the Help
    topic that is described in the "Symptoms" section:
    Determines the number of different unique users who can log on to a Windows
    domain by using cached account information.

    For more details, please refer to the following article:
    "Interactive Logon: Number of Previous Logons to Cache" Help Topic Contains
    Incorrect Information
    http://support.microsoft.com/?id=825805

    Any update, let us get in touch!

    Best regards,

    Rebecca Chen

    MCSE2000 MCDBA CCNA


    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Admiral Q wrote:

    > Yes, once they've logged on 10 times with the "cached"
    > credentials, they need to log on to the Domain to reset it.
    Hi

    That is incorrect.

    Note that the CachedLogonsCount is a number indicating for how many
    users the computer should remember cached credentials for, and not
    how many times a user can log on with cached credentials in a row
    (because that is unlimited and cannot be changed)...


    More here:

    Microsoft Windows 2000 Security Hardening Guide
    Chapter 5 - Security Configuration
    http://www.microsoft.com/technet/security/prodtech/win2000/win2khg/05sconfg.mspx

    <quote>
    Disable Caching of Logon Information

    Security Objective: Windows 2000 has the capability to cache logon
    information. If the Domain Controller cannot be found during logon
    and the user has logged on to the system in the past, it can use
    those credentials to log on. This is extremely useful, for example,
    on portable computers, which need to be used when the user is away
    from the network. The CachedLogonsCount Registry valued determines
    how many user account entries Windows 2000 saves in the logon cache
    on the local computer. The logon cache is a secured area of the
    computer and the credentials are protected using the strongest form
    of encryption available on the system. If the value of this entry
    is 0, Windows 2000 does not save any user account data in the logon
    cache. In that case, if the user's Domain Controller is not
    available and a user tries to log on to a computer that does not
    have the user's account information, Windows 2000 displays the
    following message:

    The system cannot log you on now because the domain <Domain-name>
    is not available.

    If the Administrator disables a user's domain account, the user
    could still use the cache to log on by disconnecting the net cable.
    To prevent this, Administrators may disable the caching of logon
    information. The default setting allows caching of 10 sets of
    credentials.

    Recommendation: Set this to at least 2 to ensure that the system
    is usable while the domain controllers are down or unavailable.
    </quote>


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Hello,

    So what this means is that (with a value of 10 for CachedLogonsCount) only
    the first 10 users who have ever logged in to that machine use cached
    credentials to logon to that machine. Number 11 is out of luck. And may I
    conlcude that those first 10 users can log in with cached credentials
    indefinitly? I believe this is the case. What happend is that some of our
    mobile users claim that they have logged in to the laptop a fortnight ago,
    after them perhaps a dozen people logged in (common laptop for application
    intervention accross the country) and that after that they could no longer
    log in which is a scenario that I think should not happen. I think that
    since he was one of the first 10 log on to the laptop he should be able to
    log in using cached credentials. Hence my questions if the ability to use
    cached credentials can expire.

    Thanks to both of you for your help, I appreciate it.


    "Rebecca Chen [MSFT]" <v-rebc@online.microsoft.com> wrote in message
    news:NZJVq4bCFHA.644@cpmsftngxa10.phx.gbl...
    > Hello,
    >
    > Do you refer to the CachedLogonsCount in the registry key? You can change
    > the number of previous logon attempts that a server will cache. By
    > default,
    > Windows NT will remember the 10 most recent logon attempts. The valid
    > range
    > of values for this parameter is 0 to 50. A value of 0 turns off logon
    > caching and any value above 50 will only cache 50 logon attempts.
    >
    > In other word, if you set the key to 10, the server will allow 10 user
    > account to rememeber the cache information, however, the 11th user account
    > cannot use the cached mode to logon since it exceeds the max user account
    > who are permitted to use cached logon.
    >
    > Therefore, you can increase key to 50 to allow 50 user accounts to use
    > cached logon.
    >
    > For more details, please refer to the following article:
    >
    > Cached Logon Information
    > http://support.microsoft.com/?id=172931
    >
    > As Admiral said " they've logged on 10 times with the "cached"
    > credentials", I guess you may have refer to the help and support center,
    > which explains the "Interactive Logon" as follows:
    >
    > "Determines the number of times a user can log on to a Windows domain
    > using
    > cached account information".
    >
    > I believe this has misleaded you to believe 10 refers to the 10 times
    > after
    > the user attempt to logon. I am sorry to say the Help and support center
    > has incorrectly addressed this explanation. This has been been updated,
    > however, we have a published KB article to correct this.
    >
    > The following is the correct version of the first sentence of the Help
    > topic that is described in the "Symptoms" section:
    > Determines the number of different unique users who can log on to a
    > Windows
    > domain by using cached account information.
    >
    > For more details, please refer to the following article:
    > "Interactive Logon: Number of Previous Logons to Cache" Help Topic
    > Contains
    > Incorrect Information
    > http://support.microsoft.com/?id=825805
    >
    > Any update, let us get in touch!
    >
    > Best regards,
    >
    > Rebecca Chen
    >
    > MCSE2000 MCDBA CCNA
    >
    >
    > Microsoft Online Partner Support
    > Get Secure! - www.microsoft.com/security
    >
    > =====================================================
    >
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    >
    > =====================================================
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    workinghard@news.postalias wrote:

    > Hello,
    >
    > So what this means is that (with a value of 10 for CachedLogonsCount) only
    > the first 10 users who have ever logged in to that machine use cached
    > credentials to logon to that machine. Number 11 is out of luck. And may I
    > conlcude that those first 10 users can log in with cached credentials
    > indefinitly? I believe this is the case.
    Hi

    I would think Windows will remember the 10 most *recent* logon
    attempts (for different users), this way it is the oldest logon
    cache entries that will be purged when the allowed number is
    surpassed.


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I be danged - I stand corrected - thanks.

    --
    Star Fleet Admiral Q @ your service!
    "Google is your Friend!"
    www.google.com

    ***********************************************

    "Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
    news:#DcwyjdCFHA.2232@TK2MSFTNGP14.phx.gbl...
    > Admiral Q wrote:
    >
    > > Yes, once they've logged on 10 times with the "cached"
    > > credentials, they need to log on to the Domain to reset it.
    > Hi
    >
    > That is incorrect.
    >
    > Note that the CachedLogonsCount is a number indicating for how many
    > users the computer should remember cached credentials for, and not
    > how many times a user can log on with cached credentials in a row
    > (because that is unlimited and cannot be changed)...
    >
    >
    > More here:
    >
    > Microsoft Windows 2000 Security Hardening Guide
    > Chapter 5 - Security Configuration
    >
    http://www.microsoft.com/technet/security/prodtech/win2000/win2khg/05sconfg.mspx
    >
    > <quote>
    > Disable Caching of Logon Information
    >
    > Security Objective: Windows 2000 has the capability to cache logon
    > information. If the Domain Controller cannot be found during logon
    > and the user has logged on to the system in the past, it can use
    > those credentials to log on. This is extremely useful, for example,
    > on portable computers, which need to be used when the user is away
    > from the network. The CachedLogonsCount Registry valued determines
    > how many user account entries Windows 2000 saves in the logon cache
    > on the local computer. The logon cache is a secured area of the
    > computer and the credentials are protected using the strongest form
    > of encryption available on the system. If the value of this entry
    > is 0, Windows 2000 does not save any user account data in the logon
    > cache. In that case, if the user's Domain Controller is not
    > available and a user tries to log on to a computer that does not
    > have the user's account information, Windows 2000 displays the
    > following message:
    >
    > The system cannot log you on now because the domain <Domain-name>
    > is not available.
    >
    > If the Administrator disables a user's domain account, the user
    > could still use the cache to log on by disconnecting the net cable.
    > To prevent this, Administrators may disable the caching of logon
    > information. The default setting allows caching of 10 sets of
    > credentials.
    >
    > Recommendation: Set this to at least 2 to ensure that the system
    > is usable while the domain controllers are down or unavailable.
    > </quote>
    >
    >
    >
    > --
    > torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    > Administration scripting examples and an ONLINE version of
    > the 1328 page Scripting Guide:
    > http://www.microsoft.com/technet/scriptcenter/default.mspx
  7. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Thank you Torgeir, Your input is -as always - appreciated, can we get
    confirmation on this issue?


    "Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
    news:%23EIlL5eCFHA.560@TK2MSFTNGP15.phx.gbl...
    > workinghard@news.postalias wrote:
    >
    >> Hello,
    >>
    >> So what this means is that (with a value of 10 for CachedLogonsCount)
    >> only the first 10 users who have ever logged in to that machine use
    >> cached credentials to logon to that machine. Number 11 is out of luck.
    >> And may I conlcude that those first 10 users can log in with cached
    >> credentials indefinitly? I believe this is the case.
    > Hi
    >
    > I would think Windows will remember the 10 most *recent* logon
    > attempts (for different users), this way it is the oldest logon
    > cache entries that will be purged when the allowed number is
    > surpassed.
    >
    >
    > --
    > torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    > Administration scripting examples and an ONLINE version of
    > the 1328 page Scripting Guide:
    > http://www.microsoft.com/technet/scriptcenter/default.mspx
  8. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Torgeir's understanding is correct that tge 10 most *recent* logon attempts
    (for different users), the system will cache the 10 last users. Therefore,
    it follows FIFO, which mean the 11user will cause the 1st user cache will
    be purged.

    HTH!

    Best regards,

    Rebecca Chen

    MCSE2000 MCDBA CCNA


    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
Ask a new question

Read More

Security Configuration Microsoft Windows XP