Windows 7 cached credentials group policy

The Windows security baselines do not recommend configuring this setting. The following table lists the actual and effective default values for this policy. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.

If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

The number that is assigned to this policy setting indicates the number of users whose logon information is cache locally by the servers. If the number is set to 10, the server caches logon information for 10 users. Users who access the server console have their logon credentials cached on that server.

An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to attempt to determine user passwords.

To mitigate this type of attack, Windows encrypts the information and obscures its physical location. Configure the Interactive logon: Number of previous logons to cache in case domain controller is not available setting to 0, which disables the local caching of logon information.

Additional countermeasures include enforcement of strong password policies and physically secure locations for the computers. Users cannot log on to any devices if there is no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's logon information is still in the cache, even if a member of the IT department has recently logged on to the device to perform system maintenance.

Anything that helps us do our jobs better and be better informed is welcome. I think maybe because he was quite condescending and insulting in the way he argued his point, so it looked bad when it turned out he was actually wrong.

That's my opinion, but of course I may be wrong. I deleted the post because I did not want to come off as rude on the internet. At any rate I have always thought this to be the case yet the supporting documentation say otherwise, with yet no explanation on how disconnected computers become out of sync.

Because they actually can and will become out of sync if disconnected. I have had 2 this year, sales reps that have not been in the office for close to a year. Are you sure something else isn't happening to the computer accounts in AD while the actual computers are off the network?

Also if you are using images to build your PCs and aren't changing the SIDs on each machine as its deployed you can get weird issues like that. We used to have all sorts of strange problems with computer accounts in AD a few years ago before we realised this and started using sysprep. I brought it up to him and he noted that with all the conflicting technet posts there are quite a few that the answer Chris gave was the best.

I have had at several locations, issues with computers that have otherwise lost their trust to the domain after only being disconnected and no other changes being made. Not sure why and could not really get a straight answer through the research I did yesterday. To continue this discussion, please ask a new question. Get answers from your peers along with millions of IT pros who visit Spiceworks. Which of the following retains the information it's storing when the system power is turned off?

Submit ». Ghost Chili. Scottd This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. So long as the user logs in initially when it IS on the domain, I've not had any issues. Omar Torres This person is a verified professional.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.

Describes the best practices, location, values, policy management and security considerations for the Network access: Do not allow storage of passwords and credentials for network authentication security policy setting.

This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication. Credential Manager will store passwords and credentials on this computer for later use for domain authentication.

It is a recommended practice to disable the ability of the Windows operating system to cache credentials on any device where credentials are not needed. Evaluate your servers and workstations to determine the requirements. Cached credentials are designed primarily to be used on laptops that require domain credentials when disconnected from the domain.

The following table lists the actual and effective default values for this policy. A restart of the device is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy.

If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Passwords that are cached can be accessed by the user when logged on to the device.