Wednesday, April 16, 2008

Cached logons are available by default on a domain member system (workstation or server).

The password for a cached logon doesn't expire, it is only when the offline computer is connected back to the domain that domain synchronisation occurs and expires the user object password. I have seen some newsgroup posts supporting this statement but no "official" microsoft documentation.

To disable cached logons set the

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Type: REG_SZ
Data: 0

Note: Before disabling cached logons on Servers ensure you checkout this article, given that this would be an unlikely scenario given the size of site requiring a cluster...

The main scenario where this might occur in is the availability of the Private Cluster LAN, yet the Public LAN is broken in some manner.Still a good insight to other potential issues with disabling cached logons.

Cluster nodes may fail when the
CachedLogonsCount value in the registry is set to zero

Default values for Domain Controllers Pre-2008 is 10 cached logons, with this figure being bumped to 25 for "Longhorn" server.

Cached domain logon information;EN-US;q172931
The default value of the cachedlogonscount registry entry has changed from 10 to 25 in Windows Longhorn Server

No comments: