Problem solve Get help with specific problems with your technologies, process and projects.

Windows 2000 and cached credentials

Cached credentials in Win2k can be a security hazard. Learn more in this Tech Tip.

By default, Windows 2000 records and retains the user profile and access credentials for the last 10 users to locally log into that system. This recorded data is known as cached credentials. It is built into Windows as a fault-tolerance mechanism to allow users to gain access to their desktops in the event they are unable to communicate with the domain controller. Read that last sentence again, and tell me why that statement is a very poor security policy.

If you are on your toes, you should realize that if a system cannot communicate with the domain controller, your security restrictions might not be applied. The cached credentials record the state of GPOs and the user account's access token at the time of the last logon. If any of this has changed, but the user's cached credentials are used instead of the updated credentials from the domain controller, then your security is not being enforced as you are expecting it to be.

In addition to not updating GPOs, cached credentials also prevent access to a user's home folders, and they do not execute logon scripts.

Usually, when cached credentials are used by the system, you will see an error message appear between your logon and the display of the desktop. If you are not sure whether you are operating from DC authentication or cached credentials, issue the "SET LOGONSERVER" command from a command prompt to review the name of the authentication system. If the result is local system, then you are using your cached credentials. The use of cached logons is also recorded in the System log of the Event Viewer with an event ID of 5719.

If you choose to disable cached credentials, any client that is unable to communicate with a domain controller will not be allowed to enter into the domain. However, a user can still perform a local logon if they have a local user account (on most networks users do not have local accounts). While this may sound like a disadvantage, at least from a user's perspective, it is a much more secure configuration.

When disabling cached credentials, you should change the setting in the domain's GPO under the Security Options section as well as editing each system's Registry. The CachedLogonsCount key and the GPO policy should be set to 0 to disable cached logons.

For more information on this issue, search TechNet for the keywords "cached credentials" or the knowledge base document Q242536.

Dig Deeper on Windows systems and network management