Cached Logon Count problem

[Cameron Epp]

I am preventing users from logging onto a non-network-connected
computer by changing the value of cachedlogonscount (in
hklm\software\microsoft\windowsnt\current version\winlogon) to 0.

This works fine after a reboot - but I have a problem when I try to
change the value back to 10 (so that the cached credentials will work
again). The problem is that I still can't log on - I get the message
"The system cannot log you on now because the domain <DOMAIN_NAME> is
not available." I have tried rebooting and I have tried logging onto
the network and then changing the value (then rebooting) but when I
disconnect from the network again, it won't let me in.

Is there another place I should look or any additional steps I should
try ?

Thanks a lot.

 

[Steven L Umbach]

Try also configuring it in Local Security Policy via secpol.msc on the
computer you are trying to configure cached logons for. Go to security
settings/local policies/security options and configure the security option
for number of previous logons to cache. The reboot and try again. If it
still does not work look in Local Security Policy again to see if the local
and effective settings are the same. If they are not then you may have a
domain/OU policy overriding local policy assuming your computer is in a
domain. --- Steve

 

[Cameron Epp]

Hi Steve, thanks for the note.

I tried your suggestion already - but all that the GPO setting does is
change the value of the registry key I mentioned before.

I think I found the reason for this behaviour though... Once I set the
value (of cachedlogonscount) to 0, it wipes out the cache information
in HKLM\security\cache. This prevents people from logging on with
cached credentials. However, when I reset the value of
cachedlogonscount, it does not restore the previous values into
HKLM\security\cached - all it does is allow new values to be placed in
there. So in my scenario the user has to log on twice - once to change
the value of cachedlogonscount, then a second time (after reboot) to
re-cache their credentials.

For the project I am working on, I got around this by editing the
values in HKLM\security\cache directly. To prevent them from continuing
to use cached credentials, I delete all the values under that key
(effectively wiping out the credential information). The next time they
log on successfully (which now means they have to authenticate with the
domain because they have no cached credentails), the credentials can be
recached without a problem, since I never changed the cachedlogonscount
in the first place.

So - this has allowed me to design a service that can track how long
users have been 'off' the domain, and if they have been away too long,
the service can force them to reauthenticate by preventing them from
using the cached credentials.

// Cam

 

[Steven L Umbach]

Glad to hear you got it worked out and thanks for letting me know how you
did it! --- Steve