• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1045
  • Last Modified:

Cached Credential

We want to restrict user to log into PCs with cached credential only 2 times. Is there any way to do that?
0
dongocdung
Asked:
dongocdung
  • 5
  • 4
2 Solutions
 
Joshua_PetersCommented:
You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

It is called "Interactive logon: Number of previous logons to cache (in case domain controller is not available)"
0
 
dongocdungAuthor Commented:
I believe this option only prevents multiple users from using cached credential to log into PCs. I want to know if there is a way to prevent a SINGLE user from log into PCs mutiple times using cached credential.
0
 
Joshua_PetersCommented:
Sorry here is a better view. This is where you limit the number of cached logins.
Capture.PNG
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
dongocdungAuthor Commented:
Joshua;

Again, this only limits the number of users who can use cached credential to log into PCs. My question is that if there is a way to restrict the number of TIMES a SINGLE user can use cached credential to log into a PC.
0
 
Joshua_PetersCommented:
This is what it says when you click the explain button:

Interactive logon: Number of previous logons to cache (in case domain controller is not available)

All previous users' logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they are able to log on . If a domain controller is unavailable and a user's logon information is cached, the user is prompted with a message that reads as follows:

Windows cannot connect to a server to confirm your logon settings. You have been logged on using previously stored account information. If you changed your account information since you last logged on to this computer, those changes will not be reflected in this session.

If a domain controller is unavailable and a user's logon information is not cached, the user is prompted with this message:

The system cannot log you on now because the domain is not available.

In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts.

Default: 25

0
 
Joshua_PetersCommented:
If you type 5 each user has 5 attempts without being connected to the domain before it gives them the error.
0
 
dongocdungAuthor Commented:
Have you have a chance to try out this policy? When I set the number to five and then I unplug the cable I was able to log into the PC more than 5 times (unlimited times)
0
 
Suliman Abu KharroubIT Consultant Commented:
I agree with 'donqocdung", this policy setting determine number of users not number of attempts.

I wonder if i there is a way to do that...
0
 
Joshua_PetersCommented:
After you do it type in the run box "gpupdate" without the quotes then run "gpresult /h file.html" Then view the file to see if the group policy has been updated.

If that doesn't work then do "gpupdate /force /boot" then reboot then run "gpresult /h file.html"

If that doesn't work make sure the group policy is being applied to the right users.
0
 
dongocdungAuthor Commented:
Got my answer
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now