Windows 2000 and cached credentials

By default, Windows 2000 records and retains the user profile and access credentials for the last 10 users to locally log into that system. This recorded data is known as cached credentials. It is built into Windows as a fault-tolerance mechanism to allow users to gain access to their desktops in the event they are unable to communicate with the domain controller. Read that last sentence again, and tell me why that statement is a very poor security policy.

If you are on your toes, you should realize that if a system cannot communicate with the domain controller, your security restrictions might not be applied. The cached credentials record the state of GPOs and the user account's access token at the time of the last logon. If any of this has changed, but the user's cached credentials are used instead of the updated credentials from the domain controller, then your security is not being enforced as you are expecting it to be.

In addition to not updating GPOs, cached credentials also prevent access to a user's home folders, and they do not execute logon scripts.

Usually, when cached credentials are used by the system, you will see an error message appear between your logon and the display of the desktop. If you are not sure whether you are operating from DC authentication or cached credentials, issue the "SET LOGONSERVER" command from a command prompt to review the name of the authentication system. If the result is local system, then

Requires Free Membership to View

you are using your cached credentials. The use of cached logons is also recorded in the System log of the Event Viewer with an event ID of 5719.

If you choose to disable cached credentials, any client that is unable to communicate with a domain controller will not be allowed to enter into the domain. However, a user can still perform a local logon if they have a local user account (on most networks users do not have local accounts). While this may sound like a disadvantage, at least from a user's perspective, it is a much more secure configuration.

When disabling cached credentials, you should change the setting in the domain's GPO under the Security Options section as well as editing each system's Registry. The CachedLogonsCount key and the GPO policy should be set to 0 to disable cached logons.

For more information on this issue, search TechNet for the keywords "cached credentials" or the knowledge base document Q242536.

This was first published in February 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.