Networking

Tech Tip: Disable login caching


When a domain controller goes offline or isn't accessible, a number of previous logins are cached at each NT workstation. However, this is a potential security risk because users who have been removed from the primary domain controller (PDC) can still log in to previously logged workstations by disconnecting the machine from the network.

By default, the last 10 logins are cached on the local system. To close this security hole, disable login caching. Here's how:

  1. Start the Registry Editor (Regedit.exe).
  2. Browse to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    NT\CurrentVersion\WinLogon.
  3. Find or create a key named CachedLogonsCount with REG_SZ Data Type, and set the Value Data to 0.
  4. Exit the Registry Editor, and restart the computer.

You may want to reconsider disabling cached logins on notebook or traveling systems since this feature allows the administrator to support resources centrally, without having to maintain a user database on the local system.

Note: Editing the registry is risky, so be sure you have a verified backup before making any changes.

0 comments

Editor's Picks