Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Saturday, October 18, 2008 1:31 PM
If CachedLogonsCount (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon) has a value other than 0, what information is stored locally on the server? Does Microsoft recommend to set this registry key to Zero for security purposes?
Thanks in advanced,
Eric Sabo
All replies (4)
Saturday, October 18, 2008 4:13 PM âś…Answered | 1 vote
CachedLogonsCount sets how many user account entries the OS saves in the logon cache on the local computer. Windows saves the user account data that is used to log on to the computer so the data can be used if the user's domain controller is unavailable. If you set the value of this entry to 0, Windows does not save any user account data in the logon cache which means that if the domain controller is unavailable, the user will be unable to login to the machine with his domain credentials.
The risk associated if this setting has a value of greater than 0 is somebody may try to brute-force the password of the user when the machine is offline. OTOH, if the value is set to 0, you may end up with users being unable to login when the machine is offline or when a DC is down or having a problem and unable to authenticate the users.
If you are looking at this purely on a security standpoint, setting it to 0 is necessary to reduce risks of system break-in. However, if you are looking at it from a service delivery perspective, a 0 value may cause service disruption when the DC is down.
Regards,
Salvador Manaois III
MCSE MCSA CEH MCITP | Enterprise/Server Admin
Bytes & Badz : http://badzmanaois.blogspot.com
Sunday, October 19, 2008 1:42 PM
Thanks so much for this information. It has been very helpful.
Friday, July 18, 2014 7:01 PM
Would there be any reason you would not want this set to 0 on servers?
I understand that workstations would want it set to something.
Saturday, July 19, 2014 10:00 AM
On Fri, 18 Jul 2014 19:01:30 +0000, jwanner wrote:
Would there be any reason you would not want this set to 0 on servers?
I understand that workstations would want it set to something.
Generally speaking it isn't a good idea to change defaults unless you have
a compelling reason to do so. It really doesn't accomplish anything and can
make troubleshooting other issues vastly more difficult.
Paul Adare - FIM CM MVP
Competely pointless fact of the day: One of my rats is called Solaris, due
to the fact it's fat and bloated. The other is called Perl. It's a nervous
insane little animal. -- Ashley Penney