You need to disable logging in via cache credentials, but first remove them
from the administrators local group on their computers and remove any
unathorized local accounts and change passwords on any local accounts that
may be left, especially the administrator using a complex password. If you
are in a domain, you may want to look into restricted groups to enforce
membership of local administrator accounts. You can disable cached
credentials at the appropriate security policy level - local, doman,
Organizational Unit, etc by going to security settings/local
policies/security options - number of previous logons to cache and set it to
zero. Also FYI it is fairly trivial for a user who has physical access to a
computer to use techniques/software to reset the local administrator account
and gain access as an administrator. To minimize this risk, you need to make
sure that the computer is set to boot only from the hard drive via cmos
settings and password protect cmos settings and lock the computer case. Also
diasable cdrom autorun [via Group Policy] and disable USB in cmos if it is
not needed. --- Steve
