Comparison of DisableDomainCreds and CachedLogonsCount features in Windows

Initially, I believed that the CachedLogonCount setting only affected Domain Account logons. However, further research suggests that certain services or drivers may also use this credential caching and potentially overwrite cached domain credentials belonging to the user. As a result, users in our Windows 7 pilot group are currently unable to log in using cached credentials.

Question:

How are the security options found in Computer Configuration >> Windows Settings >> Security Settings >> Local Policies related to each other?

  • Here is the MSDT with code

    HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonCachedLogonsCount


    and a blockquote

    Checks if a Windows domain login is possible through cached account data for a user.

    .

  • It is advised to refrain from storing login details and other confidential information required for network authentication.

Is

CachedLogonsCount

essentially a more detailed approach to policy making, where

DisableDomainCreds

is equivalent to setting

CachedLogonsCount

to zero?


Solution:

The

CachedLogonsCount

setting determines the number of recent local logons that can be cached on the machine for users to sign in when the domain controller is not available. It’s crucial to note that Windows only stores a password hash, not the actual credentials, which serves as a verification method. Therefore, any compromise of the cached information does not provide access to any domain credentials. You can refer to the source for more information.

By enabling

DisableDomainCreds

, you can control whether a user’s credentials are cached for uninterrupted access to domain resources. If this policy is not enabled, the user will have to re-enter their password each time they access a network resource such as
network share
. This feature stores the actual credentials for reference.

To respond to your inquiry, it’s clear that these two mechanisms serve distinct purposes and are not the same.

Frequently Asked Questions