When the Active Directory (AD) domain controller is unavailable to authenticate and validate user account, whether because the client computer is not connected to the domain’s network, or the domain controller is down, user still can log on to the computer as the user’s logon information is cached, allowing access to network resources that do not require domain validation.

If a domain controller is unavailable and a user’s login information is cached, the user will be prompted with a dialog that says:

A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on may not be available.

For some reasons, administrators or management may want to enforce the rule where login request to the client computer must always be authenticated and validated by domain controller, it’s possible to reduce and even eliminae the number of cache logins that Windows saved to 0 (zero).

By default, all versions of Windows, including Windows 7 and Windows Vista remember 10 cached logons except Windows Server 2008 and Windows Server 2008 R2, which remembers 25 cached logins instead. Through system registry, user can change the number of previous logon attempts that a server will cache, with the valid range of values for this parameter is 0 to 50. A value of 0 turns off logon caching and any value above 50 will only cache 50 logon attempts.

To change the cached logons value, follow these steps:

  1. Run Registry Editor (RegEdit).
  2. Navigate to the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\

  3. In the right pane, right click on blank space, and create a New String Value (REG_SZ) registry value named CachedLogonsCount.

    Note: Skip this step is “CachedLogonsCount” is already defined.

  4. Set the CachedLogonsCount with a value between 0 and 50, both inclusive, which represents how many previous login credentials the system should remember.

    To disable cached logins, set the value data to 0 (zero).

With caching disabled, the user is prompted with this message when attempting to login without a domain controller in sight:

The system cannot log you on now because the domain is not available.

Related Posts