jjjdavidson said:
When a workstation is disconnected from its domain, you can still sign on
using a domain account name. Obviously the domain password is stored locally
somewhere, but where?
I have to attach a borrowed computer to our domain temporarily, and I want
to make sure that no domain passwords remain on it when we return it. Is it
sufficient to delete the user profiles created in C:\Documents and Settings,
or is there something else I'll have to clean up?
Thanks!
Hi
Cached logon is controlled by the following registry value:
ValueName: CachedLogonsCount
Data Type: REG_SZ
Values: 0 - 50
under the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\
If the value does not exist, the system defaults to the value 10.
Setting it to 0 will stop it from saving the cached credentials.
Note that the CachedLogonsCount is a number indicating for how many
users the computer should remember cached credentials for, and not
how many times a user can log on with cached credentials in a row.
More here:
Microsoft Windows 2000 Security Hardening Guide
Chapter 5 - Security Configuration
http://www.microsoft.com/technet/security/prodtech/win2000/win2khg/05sconfg.mspx
<quote>
Disable Caching of Logon Information
Security Objective: Windows 2000 has the capability to cache logon
information. If the Domain Controller cannot be found during logon
and the user has logged on to the system in the past, it can use
those credentials to log on. This is extremely useful, for example,
on portable computers, which need to be used when the user is away
from the network. The CachedLogonsCount Registry valued determines
how many user account entries Windows 2000 saves in the logon cache
on the local computer. The logon cache is a secured area of the
computer and the credentials are protected using the strongest form
of encryption available on the system. If the value of this entry
is 0, Windows 2000 does not save any user account data in the logon
cache. In that case, if the user's Domain Controller is not
available and a user tries to log on to a computer that does not
have the user's account information, Windows 2000 displays the
following message:
The system cannot log you on now because the domain <Domain-name>
is not available.
If the Administrator disables a user's domain account, the user
could still use the cache to log on by disconnecting the net cable.
To prevent this, Administrators may disable the caching of logon
information. The default setting allows caching of 10 sets of
credentials.
Recommendation: Set this to at least 2 to ensure that the system
is usable while the domain controllers are down or unavailable.
</quote>
