How to test if user logged in with cached credentials


  • I am looking to notify users when they have been using cached credentials to log into their laptop for too long (however I define that).  I don't want to prevent them from using the machine with cached credentials, but I'm OK with annoying them until they do bring it in.  :)

    I figure a locally stored script is necessary.  I want to have it run at every authentication event (either login or unlock).  I'm unsure how to accomplish a couple pieces:

    1. check if a user is authenticating with cached credentials
    2. determine how long it has been since that user logged in while "within sight" of the DC to actually authenticate their login

    I'm really stuck at how to do (1).  If there is a built-in method of doing (2), I would love to hear it, but I can always just store a date somewhere to be compared against. 

    Thanks for any suggestions you can offer.

    2012年5月11日 15:55


  • There is no easy way to do it that i know off.

    You would have to create a logon script that would parse though logon events through event viewer providing that you have enable auditing for logon events.

    Other then "Interactive logon: Number of previous logons to cache" i don't know of any other GPO setting that you can use.

    2012年5月11日 16:06
  • Thanks for the answer, and I'm sorry to be thick-headed, but no easy way to do what?

    No easy way to run a script at every authentication attempt?  Couldn't a scheduled task be established that runs after certain events IDs?

    No easy way to check if a user is authenticating with cached credentials?  How does windows do it?  Can't I do it the same way?

    No easy way to determine how long a user has been authenticating with cached credentials?  This I am assuming, but I think I can store/overwrite the date in a dummy HKLU registry key each time a login is authenticated with a DC, and then compare the date with any subsequent attempts.  That should work, right?

    2012年5月14日 12:52
  • No easy way to get that information from the system on how did they authenticated localy or against domain.

    You can try to achive that with custom scripting but i don't know of any built-in method.

    The registry key thing might work, but i think you would have then to set it on with logon script and change the value with log off script.

    For exp.

    set LogonType=DC on logon

    set LogonType = "" on log off

    This way if the key wasn't set then probably there is no DC and Group policy and therefore expect value will be LogonType="".

    2012年5月14日 13:49
  • In poking around, I see several, older references to comparing %logonserver% with %computername% as a valid way to check for cached login.  When I do that in Win7 while booted and logged in via cached credentials (due to a disconnected network cable) however, my %logonserver% is the PDC of the user account's domain.  The computer account is in a subordinate domain.

    Is this a new thing?

    I also find references to a "Login Type 11", but while I can find those entries in the security log, I don't know how to exploit them.  Powershell needs elevation to see the security log, and I don't see a way to trigger a scheduled task on the Login Type.

    Were these already part of your consideration that there is no easy way?


    2012年5月16日 20:17
  • Yes, if a user log on with cached credential, you can find a event 528 with logon type 11 in the security event.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    2012年5月23日 6:46
  • I realize it is very old thread, but the question was not answered then.

    Wonder if it can be "better" answered now.

    While there might be event logged, one needs admin access rights (which is a no no when result is to be used for a script run by user) to be able to query


    with wevtutil

    Also in W7 the Event id is 4624 as per -

    If it was just a registry value then req query would do just fine



    In fact it is double posting, with much better discussion here

    • 已编辑 scerazy 2018年5月16日 18:09
    2018年5月16日 16:40