locked
How to set cached logon policies. RRS feed

  • Question

  • I'm trying to locate the policy objects that need to be set so that users on laptops can authenticate to the domain, and then be able to log on using those cached credentials while they're remote with no domain connectivity.

    Please note:
    I'm not experiencing an error other than the normal, "The system cannot log you on now because the domain <DomainName> is not available"
    I've ensured that the clients registry is configured to allow 50 logons until they need to re-connect to the domain to re-authenticate.
    I've had them log on twice while on the domain before removing their connectivity.

    The scenario is:
    I have multiple users that are working on laptops, and will be traveling to various conferences.
    While they are here, they are authenticating to a 2008 domain.
    When I take a laptop out of domain connectivity (in this case, disable their wireless and unplug the lan line) they receive the error, "The system cannot log you on now because the domain <DomainName> is not available."

    The outcome I'm attempting to achieve:
    When the users go remote, they should still have the ability to log onto their machines without having to create a local profile.
    We had this functionality in a 2003 domain.

    Is there a particular GPO that I need to change on the server side? Is it disabled by default? Heh, or am I just blind?
    Thursday, September 17, 2009 9:40 PM

Answers

  • Hi Drew,

     

    As far as I know, by default Windows 2008 Server does not disable the cached logon.

     

    You can check this out in the KB 172931.

    Cached domain logon information

    http://support.microsoft.com/kb/172931

     

    Yes, there is a GPO setting on the server side to adjust cached logon number which is called Interactive logon: Number of previous logons to cache (in case domain controller is not available). You can find it under [Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\]. Please ensure that this policy is either Not Configured or is configured to allow enough number of cached credentials.

     

    In addtion, please check the following:

     

    1. Ensure the following registry value is set to 0:

    HKLM\System\CurrentControlSet\Control\LSA\disabledomaincreds

     

    2. If the client is Windows XP, please install the following hotfixs:

    http://support.microsoft.com/kb/888516/en-us

     

    3.If the client is Windows XP or Windows 2000, please install the following hotfixs:

    http://support.microsoft.com/kb/824302

     

     

    If the problem continues, please check the following:

     

    1. Does this issue exist on all users or some specific users?

    2. Does this issue exist on all clients or just some specific clients?

    3. check which cached logon is recorded when this problem happens.

    Grant read permissions to administrators account on 'HKEY_LOCAL_MACHINE\Security\’, press F5 to refresh, check the registry 'HKEY_LOCAL_MACHINE\Security\Cache'

    Here you will see the set amount of slots displayed as NL$x. For example, the default count would show NL$1, NL$2, NL$3, ......., NL$10.
    By double-clicking the NL$x, it will show you the Domain and User Name of the previously cached user for that particular slot. if the domain user account that fails is not within any of the slots, that is why they cannot logon with cached credentials.

     

     Best Regards,

    Wilson Jia

    • Marked as answer by Wilson Jia Thursday, September 24, 2009 2:30 AM
    Friday, September 18, 2009 3:58 AM
  • Wilson,
    Thank you very much for the information.

    Turns out that the machines that were having this issue were moved into an OU that was being used for testing new Group Policies.
    The policy, "Interactive logon: Number of previous logons to cache" was enabled and set to 0. I believe that someone thought that this would allow for unlimited caching of the domain credentials. After moving a test machine account out of this OU, it was able to allow login correctly without the domain being available.

    Thank you again for the assistance, it's been greatly appreciated.

    Drew
    • Marked as answer by Wilson Jia Friday, September 25, 2009 1:59 AM
    Thursday, September 24, 2009 3:19 PM

All replies

  • Hi Drew,

     

    As far as I know, by default Windows 2008 Server does not disable the cached logon.

     

    You can check this out in the KB 172931.

    Cached domain logon information

    http://support.microsoft.com/kb/172931

     

    Yes, there is a GPO setting on the server side to adjust cached logon number which is called Interactive logon: Number of previous logons to cache (in case domain controller is not available). You can find it under [Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\]. Please ensure that this policy is either Not Configured or is configured to allow enough number of cached credentials.

     

    In addtion, please check the following:

     

    1. Ensure the following registry value is set to 0:

    HKLM\System\CurrentControlSet\Control\LSA\disabledomaincreds

     

    2. If the client is Windows XP, please install the following hotfixs:

    http://support.microsoft.com/kb/888516/en-us

     

    3.If the client is Windows XP or Windows 2000, please install the following hotfixs:

    http://support.microsoft.com/kb/824302

     

     

    If the problem continues, please check the following:

     

    1. Does this issue exist on all users or some specific users?

    2. Does this issue exist on all clients or just some specific clients?

    3. check which cached logon is recorded when this problem happens.

    Grant read permissions to administrators account on 'HKEY_LOCAL_MACHINE\Security\’, press F5 to refresh, check the registry 'HKEY_LOCAL_MACHINE\Security\Cache'

    Here you will see the set amount of slots displayed as NL$x. For example, the default count would show NL$1, NL$2, NL$3, ......., NL$10.
    By double-clicking the NL$x, it will show you the Domain and User Name of the previously cached user for that particular slot. if the domain user account that fails is not within any of the slots, that is why they cannot logon with cached credentials.

     

     Best Regards,

    Wilson Jia

    • Marked as answer by Wilson Jia Thursday, September 24, 2009 2:30 AM
    Friday, September 18, 2009 3:58 AM
  • Wilson,
    Thank you very much for the information.

    Turns out that the machines that were having this issue were moved into an OU that was being used for testing new Group Policies.
    The policy, "Interactive logon: Number of previous logons to cache" was enabled and set to 0. I believe that someone thought that this would allow for unlimited caching of the domain credentials. After moving a test machine account out of this OU, it was able to allow login correctly without the domain being available.

    Thank you again for the assistance, it's been greatly appreciated.

    Drew
    • Marked as answer by Wilson Jia Friday, September 25, 2009 1:59 AM
    Thursday, September 24, 2009 3:19 PM
  • Hi Drew,

    I am glad that you have found the root cause and fixed the issue.

    Thank you for clarify here.

    Have a nice weekend.
    Wilson Jia

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, September 25, 2009 1:59 AM