Windows 2003 Domain Controller - Security Options - Login Cache

Number of previous logons to cache (in case domain controller is not available)

If the value for this security option is set to 0 on a Domain Controller, could someone log
on to the Domain Controller if there were an issue where it was not available?  

i.e., it's powered on, but some issue is causing it not to authenticate user logins.

Best security practice recommends set this to 0.  But won't this keep an admin from logging
on to the DC to troubleshoot an issue?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:

No, cached credentials are never used when loging on domain controller. If Active Directory is not working you should use Directory Service Restore Mode to log on DC. To access DSRM, press F8 when OS is starting up.


zoey25Author Commented:

Hi Toni,
Thank you for the quick response.
Just a follow up clarification question if you don't mind.

So even if we set the logon cache value to 10 on the DC, this is disregarded?  
i.e., If cached credentials are never used when logging on to a DC, then is it best to set this to 0 (as generally recommened best practice) to reduce risk of unauthorized logns or unauthorized access to the cached password?

i.e., Even if cached credentials are set to say 2 (ay number > 1) on the DC, if AD will not authenticate,
one would have to use DSRM to address the problem?  

Or does having cached credentials not create a risk at all as the DC does not retain them?  You can enter a value > 0 in this security option, but the DC will not store it.  

Just wanting to know what is best way to configure this sec option without risking not being able to access the box if needed.  

Much appreciated.  

Toni UranjekConsultant/TrainerCommented:
Cached credentials are used on client computers, when domain controller is not available. I can not imagine how such situation would arise on DC itself. This would happen only if AD would stop working and when that happens, you have to use DSRM to log on server.

I have checked registry keys which contains on my virtual DC, and all values are zero. I believe, that this means, that regardless of policy settings, DC does not "cache" any credentials.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
zoey25Author Commented:
Thank you!  Much appreciated!
Toni UranjekConsultant/TrainerCommented:
Typo:  I have checked registry keys which contains only zeroes on my virtual DC....
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.