Is there a limit on how long a machine will cache AD creds for offline logon?

Discussion in 'Business & Enterprise Computing' started by synoptica, Jun 15, 2017.

  1. synoptica

    synoptica Member

    Joined:
    May 26, 2002
    Messages:
    2,378
    Location:
    St Kilda East, Vic
    Hi all,

    Just had a client advise that a machine that's not on the LAN (but domain joined - user is travelling) can no longer log in (W10 Pro). He's only been offline for a week, and has been logging in successfully up until around 24 hours ago (now getting the 'there are no login servers to process this request' message.)

    While I'm always inclined to point the finger at user error for login issues, I thought I'd double check in case there's been a change that I've missed.

    Is there any restrictions that are on by default (2016 functional level, if that's relevant) that would prevent AD credentials being cached for offline login for more than a week?

    Any advice appreciated as always :)
     
    Last edited: Jun 15, 2017
  2. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    4,253
    Location:
    NSW
    not 100% on win10, but all previous version cached it for basically infinity. there was the tombstone limit on the DC if the say laptop was offline for whatever period it was (60 or 90 days?) that you would have to rejoin it to the domain if you dropped it back onto the network, but if it is permanently offline, it was usually no issue to login on a cached credential.
     
  3. synoptica

    synoptica Member

    Joined:
    May 26, 2002
    Messages:
    2,378
    Location:
    St Kilda East, Vic
    Thanks mate - this has always been my experience too. I've had machines offline for literally years that still sign-in using (long since expired) domain credentials.

    I can only assume some user error at this point!
     
  4. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    4,253
    Location:
    NSW
    i'm guessing wrong username.
     
  5. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    9,914
    It will only cache a total of 10 credentials though.

    So if you had a situation where you had an offline laptop that needed more than 10 users, you'd need to adjust CachedLogonsCount in the registry.
     
  6. synoptica

    synoptica Member

    Joined:
    May 26, 2002
    Messages:
    2,378
    Location:
    St Kilda East, Vic
    Yeah, that's my suspicion, too. The affected user is being instructed by someone reasonably competent and assures me it's not the case... but yeah, I'm not ruling it out!

    Definitely not exceeded; the user has been logging on for the past week without issue. They'd have seen three different logins at worst!
     
  7. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    9,157
    Location:
    _Rocky Status:_Folding!
    They haven't joined to like hotel wifi or something and have the thing sitting there at a locked screen prompt instead of the login prompt? There a wifi switch on it they can turn off?
     
  8. synoptica

    synoptica Member

    Joined:
    May 26, 2002
    Messages:
    2,378
    Location:
    St Kilda East, Vic
    Even if so, I'd have said the machine would try to reach the DC for the domain to which its joined, and if that fails, fall back to cached creds, right?
     
  9. g00nster

    g00nster Member

    Joined:
    Sep 10, 2004
    Messages:
    293
    Location:
    Melbourne
    We've just started using cached creds for surface pro's on win 10 (1703) and when connected to any WiFi it'll fail to use cached creds.

    As a workaround we've told staff to disable WiFi (or 4G Modems) until after login.
     
  10. synoptica

    synoptica Member

    Joined:
    May 26, 2002
    Messages:
    2,378
    Location:
    St Kilda East, Vic
    Fuck, really? That's really, really stupid. So if you take your laptop home from work, you can't log in if it automatically connects to your WiFi... seriously?

    That definitely hasn't been a thing previously, I'm sure of it.
     
  11. g00nster

    g00nster Member

    Joined:
    Sep 10, 2004
    Messages:
    293
    Location:
    Melbourne
    I can't confirm if it's supposed to do that, but it does/has for us.
     
  12. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    9,157
    Location:
    _Rocky Status:_Folding!
    My experience, connected to any network it will fail with cached creds. YMMV, I have no idea how it's *supposed to work.
     
  13. Cthom

    Cthom Member

    Joined:
    Nov 11, 2016
    Messages:
    75
    Seriously, how this can occur.

    Same thing happened with me. I'm always inclined to point the finger at user error for login issues, I thought I'd double check in case there's been a change that I've missed.
     
  14. 7nothing

    7nothing Member

    Joined:
    Feb 15, 2002
    Messages:
    1,374
    Location:
    Brisbane
    Dubious if using standard user accounts, unless you have a DC that'll resolve and accept connections from the internet :p

    Tombstoning is only for DCs. Member/workstation accounts will have expired passwords, but presumably just generate a new one as soon as they connect back to a DC, as I've had stuff offline for years and 0 domain trust issues when bringing back online.
     
  15. pantner

    pantner Member

    Joined:
    Aug 31, 2004
    Messages:
    2,174
    Location:
    Perth, WA
    that certainly shouldn't be happening. I work at a school, all the students and most of the staff (including me) have SP3s/SP4s.

    If this happened with cached credentials then we would be in biiiiiiig trouble!

    OP - is there a local (Non Domain) user account the user could've logged on as which broke the cached credential?

    EDIT- How has Windows/Office been activated? KMS?
     
  16. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    9,914
    Perhaps if its on a network with a captive portal? or pointed at a DNS server that resolves all names?
     
  17. DonutKing

    DonutKing Member

    Joined:
    Mar 21, 2004
    Messages:
    1,062
    Location:
    Tweed/Gold Coast
    I've seen funny behaviour from this too, my cached creds usually work on my wifi at home, but recently I was on a site and had a saved wifi password for the guest network there - couldn't log in to Windows due to no logon servers. Disconnecting from the network didn't resolve it either, ended up having to use local admin.
     

Share This Page