- Posts: 783
- Thank you received: 0
Domain cached password
- skepticals
- Topic Author
- Offline
- Elite Member
Less
More
16 years 7 months ago #25497
by skepticals
Domain cached password was created by skepticals
I know that if I join a computer to a domain and take that computer off the network (by unplugging it) I can still use the domain username and password to login.
Is there a timeout period for this? I would think that the cached credentials would eventually expire and need to communicate with the domain controller eventually. Maybe not.
Thanks.
Is there a timeout period for this? I would think that the cached credentials would eventually expire and need to communicate with the domain controller eventually. Maybe not.
Thanks.
16 years 7 months ago #25500
by Banned
Check Cached Credentials Security In Windows Server 2003, in Windows XP, and in Windows 2000
Cached Domain Logon Information
Notice:This User Has Been Banned From Accessing This Domain. Be Cautious And Risk On Your Own.
Replied by Banned on topic Re: Domain cached password
I know that if I join a computer to a domain and take that computer off the network (by unplugging it) I can still use the domain username and password to login.
Is there a timeout period for this? I would think that the cached credentials would eventually expire and need to communicate with the domain controller eventually. Maybe not.
Thanks.
Check Cached Credentials Security In Windows Server 2003, in Windows XP, and in Windows 2000
Cached Domain Logon Information
Notice:This User Has Been Banned From Accessing This Domain. Be Cautious And Risk On Your Own.
16 years 7 months ago #25501
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Domain cached password
It can be controlled in Group Policies. i.e. disabled.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
16 years 7 months ago #25504
by KiLLaBeE
Replied by KiLLaBeE on topic Re: Domain cached password
Computer configuration > Windows Settings > Security Settings > Local Policies > Security Options, and "Interactive logon: Number of previous logons to cache..."
I disable it in my home lab because it can mislead you in troubleshooting network issues.
Also note that if you leave the computer disconnected from the network for more than thirty days, that at one point you'll need to reconnect it and possibly reset the computer account so it could "resync" with the DC (or just drop and add it back onto the domain). Basically, computers maintain a secure password protected connection between themselves and the DC, when the communicate is broken (leaving a computer disconnected for too long), the communication path is broken.
That's just to continue your train of thought on the cache expiring idea.
I disable it in my home lab because it can mislead you in troubleshooting network issues.
Also note that if you leave the computer disconnected from the network for more than thirty days, that at one point you'll need to reconnect it and possibly reset the computer account so it could "resync" with the DC (or just drop and add it back onto the domain). Basically, computers maintain a secure password protected connection between themselves and the DC, when the communicate is broken (leaving a computer disconnected for too long), the communication path is broken.
That's just to continue your train of thought on the cache expiring idea.
16 years 7 months ago #25520
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Domain cached password
It's very misleading and some times causes havoc when users are expected to login to multiple machines frequently. In my work place (University) students are expected to login to any PC in the lab.
Picture this, a student logs in to one PC and does some changes to one of his word documents. Logsoff saving his profile and document to the DC safely. The next day the student sits on another empty chair and logs-in, but the PC (for some reason) was disconnected say because of a pulled out UTP cable or switch port that was mis functioning. Eventually, he logs-in with an old cached profile (Not realizing it off course) and finds out that all the changes that he made yesterday was gone. He gets frustrated!!. He retypes his changes and adds more and more. Logsoff. Comes the next day to the first PC (which was connected), logs-in, and find out that he got back his old changes but not the changes that he made yesterday. :x :x
A very bad default behavior in my opinion.
Picture this, a student logs in to one PC and does some changes to one of his word documents. Logsoff saving his profile and document to the DC safely. The next day the student sits on another empty chair and logs-in, but the PC (for some reason) was disconnected say because of a pulled out UTP cable or switch port that was mis functioning. Eventually, he logs-in with an old cached profile (Not realizing it off course) and finds out that all the changes that he made yesterday was gone. He gets frustrated!!. He retypes his changes and adds more and more. Logsoff. Comes the next day to the first PC (which was connected), logs-in, and find out that he got back his old changes but not the changes that he made yesterday. :x :x
A very bad default behavior in my opinion.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
- skepticals
- Topic Author
- Offline
- Elite Member
Less
More
- Posts: 783
- Thank you received: 0
16 years 7 months ago #25521
by skepticals
Replied by skepticals on topic Re: Domain cached password
Thanks for the information.
I see that the default is 10 previously used logins. Does this mean that a user could login cached forever? Or would even these 10 cached credentials expire?
I see that the default is 10 previously used logins. Does this mean that a user could login cached forever? Or would even these 10 cached credentials expire?
Time to create page: 0.156 seconds