Number of cached logons

[Randy Bickford]

Hi -
The situation has always been that once a user logs on to an NT/2K/XP
machine with a domain account, that user can remove the computer from the
network and still log on to the computer using cached creds.
Group Policy exposes the registry setting for this under Local Security
Policy in "Interactive Logon: Number of cached logons......". The default
number is 10. Ever since I first saw this in W2K, I wondered why our laptop
users can go away for months without connecting to our network yet are able
to logon more than 10 times without any failure. We're on an NT4 domain but
the Local Policy should still apply on our W2K and XP machines.
What's up with that? Not really a problem (just the opposite, in fact) but
I'm curious.
Thanks.

 

[Tim Springston \(MSFT\)]

Hi Randy-

I wouldn't think that the process to check cace logon use would be aware of
the domain type, but it is possible.

Do your users logon using smartcards or a biometric device? Do they always
log into the domain, rather than locally while away from the office?

 

[Randy Bickford]

Thanks for the response, Tim.
Our users are not using smart cards or anything other than NTLM
authentication to log on to the domain. In fact, I didn't know smart cards
could be used to log on to an NT domain. I thought the domain controllers
had to be EAP aware or something like that.
Anyway, we don' t create local accounts for them to use so they have to be
using their domain accounts to log on. One of our users is in a remote
office about 400 miles away and only comes around occasionally. He uses VPN
to connect but the VPN server is not Windows and he doesn't know about the
RAS logon feature. Besides him, we have others who are away for long
periods and don't even know what a VPN is.
Randy