Active Directory Cached Credentials Overview


When log on to a computer with a domain account the user enters credentials, which are passed to the nearest domain controller for authentication. If there are no available domain controllers in the network, then there is no one can verify the credentials and the user cannot logon to the system, and after entering the password, the message is displayed:

There are currently no log on servers available to service the logon request

cached credentials

To avoid this situation, after a successful login, the user’s credentials can be saved in the local cache on computer. This allows users to log on with domain cached credentials and access local resources of the computer even if the connection to the domain controller is not available.

Tip. To be precise, the credentials (login and password) are not cached, but only the MD5 hash of the password, modified with salt, which is generated based on the user name. Cached data is stored in the HKLM\SECURITY\Cache registry key, which is accessible only to SYSTEM account. It is also important to mention that the lifetime of this cache on the computer is not limited.

Cached Credentials in Active Directory on Windows 10

Each entry in this key contains information about the user (username, profile path, home directory, etc.), domain (name, SID, last access time, etc.) and a hashed user password.

READ ALSO  FSMO Role: Domain Naming Master

The CashedLogonsCount registry key is responsible for the caching capability. This parameter is located in the registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. This parameter specifies the number of unique users whose credentials are stored locally. By default, the value of the parameter is 10 and this means the following: the credentials are stored for the last 10 users logged on to the system, and when the eleventh user logs on to the computer, the cached credentials of the first user will be overwritten.

cached credentials windows 10

You can manage the value of CashedLogonsCount centrally, using Group Policy. To do this, create a new GPO (or open an existing one), go to the Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options section and find the Interactive logon: Number of previous logons to cache (in case domain controller is not available).

domain cached credentials

By default, this policy is not defined, respectively, on all computers the default value is used. To change it, you need to enable this policy and specify the required value in the range from 0 to 50. A value of 0 means the caching of credentials is forbidden, respectively, at this value, logon to the local system is not possible when the domain controller is unavailable or computer disconnected from network.

READ ALSO  Accessing Domain Controller from Local DSRM Account

domain cached credentials windows 10

In theory, if there is physical access to the computer, an attacker has the opportunity to use saved credentials, it is recommended to disable local caching for better security. An exception can be made for mobile devices (laptops, tablets, etc.) that used both from inside the corporate network and outside it. For such computers, the number of saved cached credentials can be set to 1. This allows only the last user to log on to the system.


You may also like:

Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...
Join Domain and Login over a VPN Connection This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for us this weekend. We had to reformat a c...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Store BitLocker Recovery Keys using Active Directo... In corporate segment one of the advantages of BitLocker Drive Encryption technology is the ability to store the Bitlocker recovery keys for encrypted ...