Windows operating systems, including 2000, XP, and 2003, cache the logon credentials for the last 10 users. This allows for the user to re-logon at a later date even if the domain controller cannot be accessed at the time of logon. While this does represent a fault tolerance to DC downtime and network congestion, it is a poor state of security. When users are logged on using cached credentials, they are using out-of-date security credentials....
New group memberships, changes to GPOs, changes to user rights, etc. are not applied. This is a serious threat to any truly secured environment.
To disable cached credentials, simply alter the appropriate GPOs so that every system in the environment has the Computer Configuration, Windows Setting, Local Policy, Security Options control of "Interactive Logon: Number of previous logons to cache (in case domain controller is not available)" to 0 logons (from the default of 10).
Another important issue in regards to cached logons is unlocking a workstation. A workstation can become locked if the screen saver requires the user's password to resume to the desktop or if the Lock Computer command from the Task Manager's Shutdown menu or the logoff dialog box is used. In either case, the default is for the local system to verify the user's password based upon cached credentials. Even if the system is configured not to retain cached credentials, the currently logged on user's credentials are cached in active memory because the user is logged onto the workstation. Just as with the issue of domain logon via cached credentials, if a workstation is unlocked using cached credentials, a domain controller is not consulted.
To force the workstation to consult a domain controller when unlocking, set the Computer Configuration, Windows Setting, Local Policy, Security Options control of "Interactive Logon: Require Domain Controller authentication to unlock workstation" to Enabled.
It should be obvious that while these settings are important for domain users in general, they are especially important for administrative level user accounts. In a truly secure environment, any time a logon event occurs (including unlocking a workstation) you want a domain controller to be contacted. Relying upon cached credentials may be more efficient, but it is not more secure.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.