After a user has successfully logged into the domain, the logon information is cached. The next time a user logs on to the computer using the domain account, they can be authenticated even if the domain controller that authenticated the user is unavailable. This is because the user has already been authenticated, and Windows can uses the cached credentials to log the user on locally. This is common with road warriors who log into the domain on their laptops, however, when they are away from the office and no DC is available, Windows will use the cached credentials from the previous logon to log the user on locally and to allow access to local computer resources.
Cached Domain credentials are used by the OS and are authenticated by the Local Security Authority (LSA). The Domain credential is normally created when the user logs into the domain and a Kerberos ticket is registered . . .
Cached Domain credentials provide additonal functionality including Single Sign-On (SSO) and Access to resources when no DC is available. SSO uses the credentials that the OS obtains during an interactive domain logon to let the user authenticate to the domain once. After this authentication, the user will have access to all the network resources they have permissions to without the need to provide their credentials again. These resources can be located throughout an enterprise, and in different domains.
Works for Windows 2000/XP and 2003 . If you want to enable the Message for User when no DC is available http://support.microsoft.com/default.aspx?scid=kb;en-us;242536
When you logon to Windows NT using cached logon information, if the domain controller is unavailable to validate your account, you cannot access network resources that require domain validation. However, you can access network resources that do not require domain validation.
Through the registry and a resource kit utility (Regkey.exe), you can change the number of previous logon attempts that a server will cache. By default, Windows NT will remember the 10 most recent logon attempts. The valid range of values for this parameter is 0 to 50. A value of 0 turns off logon caching and any value above 50 will only cache 50 logon attempts.
Cached logon information is controlled by the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\
ValueName: CachedLogonsCount Data Type: REG_SZ Values: 0 - 50
Also SeeAn Attacker with Physical Access to Your Computer May Be Able to Access Your Files and Other Datahttp://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;818200
No comments:
Post a Comment