15. června 2012 13:40
we would like to restrict the number of logons that are being cached on our windows 7 computers using GPOs. We currently have a setting of four in the policy. The problem is that we are not sure if this is enough since we have some automatic logons for services and applications on our computers. I would like to see who's credentials are cached on our boxes to check if our policy will work properly.
I know that the cached credentials are stored in the registry under "Security". I can see four entries there. Is there a way to deduce the usernames for those entries without trying to use any "hacker" tools? I don't want to decipher the actual password hashes or the like, I just want to know who they belong to. Does anybody know of a way to do this?
Any help would be great!
18. června 2012 20:15
most services use local accounts. So there is no limit.
You can easily 4x restart computer, and you will see, if ther is any problem.
19. června 2012 9:29Moderátor
Based on my research, the cache is used by various security principals on the system - not just the users that physically log on to the system with a user account.
You can run Process Monitor and configure a filter to include only paths beginning with HKLM\Security\Cache in the capture and drop everything else (Filter/Drop filtered events) then it will show a SetReg operation each time a cache entry is written to.
In addition, you will get a LsaSrv 45058 event in the System log whenever an older entry has been removed from the LS cache and what account it was for (see: Cached User logon fails when LSASRV event 45058 indicates FIFO deletion of cached credential).
For more detailed information, please refer to Cached logons and CachedLogonsCount.
Hope this helps.
TechNet Community Support
- Označen jako odpověď HarryNew 19. června 2012 9:46
19. června 2012 9:47
I will check for the events. That sounds promising!
Thanks & Regards