Active Directory Cached Credentials Overview

When log on to a computer with a domain account the user enters credentials, which are passed to the nearest domain controller for authentication. If there are no available domain controllers in the network, then there is no one can verify the credentials and the user cannot logon to the system, and after entering the password, the message is displayed:

There are currently no log on servers available to service the logon request

cached credentials

To avoid this situation, after a successful login, the user’s credentials can be saved in the local cache on computer. This allows users to log on with domain cached credentials and access local resources of the computer even if the connection to the domain controller is not available.

Tip. To be precise, the credentials (login and password) are not cached, but only the MD5 hash of the password, modified with salt, which is generated based on the user name. Cached data is stored in the HKLM\SECURITY\Cache registry key, which is accessible only to SYSTEM account. It is also important to mention that the lifetime of this cache on the computer is not limited.

Cached Credentials in Active Directory on Windows 10

Each entry in this key contains information about the user (username, profile path, home directory, etc.), domain (name, SID, last access time, etc.) and a hashed user password.

The CashedLogonsCount registry key is responsible for the caching capability. This parameter is located in the registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. This parameter specifies the number of unique users whose credentials are stored locally. By default, the value of the parameter is 10 and this means the following: the credentials are stored for the last 10 users logged on to the system, and when the eleventh user logs on to the computer, the cached credentials of the first user will be overwritten.

cached credentials windows 10

You can manage the value of CashedLogonsCount centrally, using Group Policy. To do this, create a new GPO (or open an existing one), go to the Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options section and find the Interactive logon: Number of previous logons to cache (in case domain controller is not available).

domain cached credentials

By default, this policy is not defined, respectively, on all computers the default value is used. To change it, you need to enable this policy and specify the required value in the range from 0 to 50. A value of 0 means the caching of credentials is forbidden, respectively, at this value, logon to the local system is not possible when the domain controller is unavailable or computer disconnected from network.

domain cached credentials windows 10

In theory, if there is physical access to the computer, an attacker has the opportunity to use saved credentials, it is recommended to disable local caching for better security. An exception can be made for mobile devices (laptops, tablets, etc.) that used both from inside the corporate network and outside it. For such computers, the number of saved cached credentials can be set to 1. This allows only the last user to log on to the system.

You may also like:

Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
FSMO Role: Infrastructure Master We continue the series of articles about FSMO roles in the Active Directory domain. This time, we will take a closer look at the FSMO role — Infrastru...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...

Add Your Comment