Cached Logon Count problem

Archived from groups: microsoft.public.win2000.security (More info?)

I am preventing users from logging onto a non-network-connected
computer by changing the value of cachedlogonscount (in
hklm\software\microsoft\windowsnt\current version\winlogon) to 0.

This works fine after a reboot - but I have a problem when I try to
change the value back to 10 (so that the cached credentials will work
again). The problem is that I still can't log on - I get the message
"The system cannot log you on now because the domain <DOMAIN_NAME> is
not available." I have tried rebooting and I have tried logging onto
the network and then changing the value (then rebooting) but when I
disconnect from the network again, it won't let me in.

Is there another place I should look or any additional steps I should
try ?

Thanks a lot.
3 answers Last reply
More about cached logon count problem
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Try also configuring it in Local Security Policy via secpol.msc on the
    computer you are trying to configure cached logons for. Go to security
    settings/local policies/security options and configure the security option
    for number of previous logons to cache. The reboot and try again. If it
    still does not work look in Local Security Policy again to see if the local
    and effective settings are the same. If they are not then you may have a
    domain/OU policy overriding local policy assuming your computer is in a
    domain. --- Steve


    "Cameron Epp" <camepp@gmail.com> wrote in message
    news:c7a9b567.0410261323.7d18fc06@posting.google.com...
    >I am preventing users from logging onto a non-network-connected
    > computer by changing the value of cachedlogonscount (in
    > hklm\software\microsoft\windowsnt\current version\winlogon) to 0.
    >
    > This works fine after a reboot - but I have a problem when I try to
    > change the value back to 10 (so that the cached credentials will work
    > again). The problem is that I still can't log on - I get the message
    > "The system cannot log you on now because the domain <DOMAIN_NAME> is
    > not available." I have tried rebooting and I have tried logging onto
    > the network and then changing the value (then rebooting) but when I
    > disconnect from the network again, it won't let me in.
    >
    > Is there another place I should look or any additional steps I should
    > try ?
    >
    > Thanks a lot.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steve, thanks for the note.

    I tried your suggestion already - but all that the GPO setting does is
    change the value of the registry key I mentioned before.

    I think I found the reason for this behaviour though... Once I set the
    value (of cachedlogonscount) to 0, it wipes out the cache information
    in HKLM\security\cache. This prevents people from logging on with
    cached credentials. However, when I reset the value of
    cachedlogonscount, it does not restore the previous values into
    HKLM\security\cached - all it does is allow new values to be placed in
    there. So in my scenario the user has to log on twice - once to change
    the value of cachedlogonscount, then a second time (after reboot) to
    re-cache their credentials.

    For the project I am working on, I got around this by editing the
    values in HKLM\security\cache directly. To prevent them from continuing
    to use cached credentials, I delete all the values under that key
    (effectively wiping out the credential information). The next time they
    log on successfully (which now means they have to authenticate with the
    domain because they have no cached credentails), the credentials can be
    recached without a problem, since I never changed the cachedlogonscount
    in the first place.

    So - this has allowed me to design a service that can track how long
    users have been 'off' the domain, and if they have been away too long,
    the service can force them to reauthenticate by preventing them from
    using the cached credentials.

    // Cam
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Glad to hear you got it worked out and thanks for letting me know how you
    did it! --- Steve


    "Cameron Epp" <camepp@gmail.com> wrote in message
    news:1098989460.147857.50970@z14g2000cwz.googlegroups.com...
    > Hi Steve, thanks for the note.
    >
    > I tried your suggestion already - but all that the GPO setting does is
    > change the value of the registry key I mentioned before.
    >
    > I think I found the reason for this behaviour though... Once I set the
    > value (of cachedlogonscount) to 0, it wipes out the cache information
    > in HKLM\security\cache. This prevents people from logging on with
    > cached credentials. However, when I reset the value of
    > cachedlogonscount, it does not restore the previous values into
    > HKLM\security\cached - all it does is allow new values to be placed in
    > there. So in my scenario the user has to log on twice - once to change
    > the value of cachedlogonscount, then a second time (after reboot) to
    > re-cache their credentials.
    >
    > For the project I am working on, I got around this by editing the
    > values in HKLM\security\cache directly. To prevent them from continuing
    > to use cached credentials, I delete all the values under that key
    > (effectively wiping out the credential information). The next time they
    > log on successfully (which now means they have to authenticate with the
    > domain because they have no cached credentails), the credentials can be
    > recached without a problem, since I never changed the cachedlogonscount
    > in the first place.
    >
    > So - this has allowed me to design a service that can track how long
    > users have been 'off' the domain, and if they have been away too long,
    > the service can force them to reauthenticate by preventing them from
    > using the cached credentials.
    >
    > // Cam
    >
Ask a new question

Read More

Microsoft Windows