Cached domain logon allows users to log on to a Windows Active Directory domain even if no domain controller is available or if the client is offline and has no network connection. As useful as this feature is, it also has some downsides, which I will discuss in this post. I will also show you how you can disable cached domain logon and how you can improve security by changing the default configuration. Everything I say in this post applies to Windows XP, Windows Vista, and Windows 7.

Michael Pietroforte

Michael Pietroforte is the founder and editor in chief of 4sysops. He has more than 35 years of experience in IT management and system administration.

How cached domain logon works ^

Cached domain logon only works if the user has logged on once with a valid password. Windows will then store the MD5 (see comments below) hash of this password on the local disk. If the PC has no connection to an Active Directory domain controller the next time the same user logs on, Windows will authenticate the user locally using the locally stored password hash.

By default, Windows stores the password hashes of the last 10 logons. Thus, if multiple users share a PC, it is possible that the cached domain logon fails even though the user has logged on this machine before.

The main advantage of a cached domain logon is that users have access to their desktop when the network or all domain controllers are down. For mobile users, it means that they can log on with their domain account when they have no access to the corporate.

Disadvantages of cached domain logon ^

However, cached domain login has several disadvantages. First of all, locally stored password hashes are a significant security risk. This is especially true for notebooks that users can take with them. If the laptop ends up in the wrong hands, an attacker can run a brute force attack to find out the local administrator password. Considering that admins often log on with the domain administrator password to solve local computer problems, this is serious threat for your whole network.

You can reduce this risk by setting the number of previous logons to 1 (see below). This will ensure that the password hash of the administrator account is deleted after the user logs on because only one password hash will be stored on the disk. This way, an attacker would only be able to crack the password of a normal domain user. An even better way would be to encrypt the system drive with BitLocker.

Another disadvantage of a cached domain logon is that network connection problems can stay undetected for some time because the user doesn't realize that he or she is working offline. Only if you work with roaming user profiles, will you get a message that there was a problem with your roaming profile:

User Profile Service

However, many users just ignore this message, and this means that new domain policies cannot not be deployed, Windows updates are not installed, and antivirus signatures won't be updated. If the PC comes online again after months, it will pose a severe security risk.

Moreover, in some environments it might not be desirable that users to log on if the network is offline; for example, because they can't work anyway if they can't access their remote applications or data. It helps the service desk personal if users can tell that they were not able to log on. You know, the kind of help desk call where a user insists that the email server must be down, not knowing that the cleaning lady unplugged the network cable.

How to disable cached domain logon ^

To disable cached domain logon, you can change the cachedlogonscount registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to 0. You can also use the Local Security Policy snap-in or change the cached domain logon settings network wide through Group Policy. You'll find the setting "Interactive logon: Number of previous logons to cache (in case domain controller is not available" under Computer Configuration | Security Settings | Local Polices | Security Options.

Group Policy Interactive logon Number of previous logons to chache

Once you have set cached domain logon to 0, you have to reboot the computer. This will delete all locally stored password hashes. In the future will get this message whenever they try to log on without an available domain controller: "There are currently no log on servers available to service the logon request".

There_are_currenlty_no_logon_servers_avialable_to_service_the_logon_request

But don't confuse the cached domain logon password with the stored credentials in the Windows Vault. This will be the topic of my next post.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

2+
Share
13 Comments
  1. Fr3d 9 years ago

    Is it possible to limit how long logons can be cached before Windows "expires" them (unless it re-establishes contact with a Domain Controller)?

    2+

  2. Michael Pietroforte 9 years ago

    This would certainly make sense, but I haven't found such a setting during my tests.

    1+

  3. anonymous 9 years ago

    One thing I hate about Vista/7 that XP had is one can't change the stored domain password in Credential Manager if the domain is offline.

    1+

  4. Michael Pietroforte 9 years ago

    I think for security reasons it is better if a domain controller confirms the password change. Also, cached domain logon is only for worst case scenarios. This is not the time when users should change their passwords. However, it would make sense if one could delete the cached password hash with credential manager.

    1+

  5. Mathieu Chateau 9 years ago

    hello,

    the cached password is not encrypted in MD5 but MD4 (twice), and crypted with the login name. So rainbow table are not useful, except for the english "administrator".

    The local administrator can always be enabled/changed, i guess you was thinking of the domain administrator account.

    You can prevent storing the LM hash to help, and crypt the whole disk with bitlocker

    http://support.microsoft.com/kb/913485

    1+

  6. Michael Pietroforte 9 years ago

    Mathieu, thanks. I think I have read somewhere that it is MD5 since Vista. I changed the article, just to be sure.

    1+

  7. Hoang Nguyen 7 years ago

    thanks for a great information , Michael. it's very useful

    Is there some kind of limitation how mane time you can logon without Domain?

    1+

  8. CAN DIEN TU THAI BINH DUONG 7 years ago

    How to improve join domain and login time for Windows XP ?
    Thanks

    1+

  9. Gus 6 years ago

    Hello,
    I accidentally changed my wife's work computer (XP which uses a Domain) to be on a workgroup. We know the user/password of the Admin for local and domain, but we can't restore it back to login through the domain. We are a continent away from her job & vpn is not possible. Is there a way to:
    - set it back to login using the domain through the registry (regedit)?
    - have access to the folders (which currently says that the local admin - does not have access to folders set by the domain.)
    - use Djoin somehow to bring it back to old state. (PS - backup & restore of whole windows state was not enabled)
    Thanks

    1+

  10. Michael Pietroforte 6 years ago

    Gus, only a domain admin can join the computer to a Windows domain. However, your local admin account should have access to all folders. You might have to change the ownership. You can change the ownership through the Advanced Security Settings in the Security tab of the folders's properties.

    1+

  11. Zia 4 years ago

    Hello,

    My Question is, how many days a client can be log on to a computer without a Windows Active Directory domain controller is available?

    I need to know for many days a client can log on without AD.

    Your early reply is highly appreciated.

    Kind regards
    Zia

    1+

    • C-dub 2 years ago

      Zia,

      I don't think it's based on days but number of TIMES. The default is 10 logins. They could do this over 2 days if the constantly log out of their PC. The max is 50.

      1+

  12. Michael Pietroforte 4 years ago

    Zia, if I remember it right, the cached credentials don't expire.

    1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account