Windows 2003 Domain Controller - Security Options - Login Cache

Posted on 2008-02-01
Medium Priority
Last Modified: 2013-12-04
Number of previous logons to cache (in case domain controller is not available)

If the value for this security option is set to 0 on a Domain Controller, could someone log
on to the Domain Controller if there were an issue where it was not available?  

i.e., it's powered on, but some issue is causing it not to authenticate user logins.

Best security practice recommends set this to 0.  But won't this keep an admin from logging
on to the DC to troubleshoot an issue?

Question by:zoey25
  • 3
  • 2
LVL 31

Expert Comment

by:Toni Uranjek
ID: 20803320

No, cached credentials are never used when loging on domain controller. If Active Directory is not working you should use Directory Service Restore Mode to log on DC. To access DSRM, press F8 when OS is starting up.



Author Comment

ID: 20804237

Hi Toni,
Thank you for the quick response.
Just a follow up clarification question if you don't mind.

So even if we set the logon cache value to 10 on the DC, this is disregarded?  
i.e., If cached credentials are never used when logging on to a DC, then is it best to set this to 0 (as generally recommened best practice) to reduce risk of unauthorized logns or unauthorized access to the cached password?

i.e., Even if cached credentials are set to say 2 (ay number > 1) on the DC, if AD will not authenticate,
one would have to use DSRM to address the problem?  

Or does having cached credentials not create a risk at all as the DC does not retain them?  You can enter a value > 0 in this security option, but the DC will not store it.  

Just wanting to know what is best way to configure this sec option without risking not being able to access the box if needed.  

Much appreciated.  

LVL 31

Accepted Solution

Toni Uranjek earned 1000 total points
ID: 20804333
Cached credentials are used on client computers, when domain controller is not available. I can not imagine how such situation would arise on DC itself. This would happen only if AD would stop working and when that happens, you have to use DSRM to log on server.

I have checked registry keys which contains on my virtual DC, and all values are zero. I believe, that this means, that regardless of policy settings, DC does not "cache" any credentials.

Author Closing Comment

ID: 31427418
Thank you!  Much appreciated!
LVL 31

Expert Comment

by:Toni Uranjek
ID: 20806154
Typo:  I have checked registry keys which contains only zeroes on my virtual DC....

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Watch the video to know the simple way to remove or recover or reset lost or forgotten passwords of Outlook PST file. With Kernel Outlook Password Recovery tool such operation is very easy to perform. It is a freeware with limitation to use with 500…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question