WinSecWiki > Security Settings > Local Policies > Security Options > Interactive Logon > Number of previous logons to cache

Interactive logon: Number of previous logons to cache (in case domain controller is not available

Normally when you attempt to logon to a Windows member computer with a domain account the computer verifies your credentials with a domain controller in real time over the network. But if no domain controller is available such as the when traveling with a laptop, Windows will still allow you to logon with domain credentials provided you have recently logged on with such credentials while the computer was still able to communicate with a domain controller. This is accomplished with cached credentials. By default Windows caches a hash of the credentials of the last 10 successful domain account logons. When you attempt to logon with a domain account and the computer cannot reach a domain controller it searches these cached credentials to see if you recently logged on and if so it can verify the user name and password you just entered without communicating with the domain controller.

Note that this setting does not control how many times you can logon with cached credentials; you can logon indefinitely with cached credentials. This setting controls how many successful domain logons the computer remembers. Also, Windows does not cache distinct credentials – just the last X number of logon attempts. For a typical workstation used by one person, all 10 or so cached credentials will be for that same user.

If more than one user uses this computer and you want all such users available for cached logon you may consider increasing this value. The default is 10, you can increase it up to a maximum of 50. If you configure a larger value Windows ignores it and caches the last 50 logons. If you configure this setting as 0 you are disabling cached logons. If the computer can’t reach a domain controller you will only be able to logon with a local account.

Cached logons make the creation of local accounts for users when travelling unnecessary. 

Windows does not store the actual password or password hash; it stores a hash of the logon credentials. Cached credentials are secure and do open any known vulnerabilities even an attacker has physical access to the computer.

Note: Like all “Interactive logon:” policies, this policy is a workstation level policy. This policy needs to be defined in a GPO that gets applied to workstations such as Default Domain Policy. If you only configure this policy on the domain controllers, such as with Default Domain Controllers Policy, you will only impact users logging on at the console of the domain controller. You should also configure this policy on Terminal Servers accessible to end-users 

Bottom line

Don’t disable this setting by configuring as 0 unless you can live with no domain account logons when a domain controller is unavailable. If you have multiple users logging on to this computer when it is disconnected from the network you may consider increasing this setting to 50.

Back to top


Additional Resources