garethevans1986 Posted November 8, 2010 Share Posted November 8, 2010 Hey all We're about to setup and install our first Windows Server in work (after a rather long battle)....we're planning on installing and configuring Active Directory. We have service engineers who are in and out of the office with their laptops all the time. They could be in the office one minute and the other side of the world without a connection to anything the next. I know you can have laptops and set a large number of cached logins for them but I don't want it to cause any problems for them. Any suggestions? Thanks GE Link to comment Share on other sites More sharing options...
sc302 Veteran Posted November 8, 2010 Veteran Share Posted November 8, 2010 yes they do. easiest way to make sure that they will logon is to have them sign on at the office. By default there are 10 cached logons. This may help you http://technet.microsoft.com/en-us/library/cc755473(WS.10).aspx Link to comment Share on other sites More sharing options...
+BudMan MVC Posted November 8, 2010 MVC Share Posted November 8, 2010 (edited) You don't have to do anything special, out the box they will use cached. Are you thinking of the cachedlogonscount value?? 0 to 50, default to 10.. That is for the number of accounts it will cache logins for, not the number of times a user can login ;) I do believe its unlimited.... I had a friend who had her work laptop at home for years, no longer even worked for the company and was able to login with her domain info just fine. Have been using laptops from the old NT days before AD, then with AD both 2k, 2k3 and now 2k8 and have never had an issue with laptop users login. What we have had issues with is them changing the password on the laptop while not connecting to the domain - and then when they come back into the domain they can lock the domain account out ;) Just let your users know not to change the password unless connected to the domain, be it directly or over a vpn, etc. edit: I think this confusing because of the wording MS uses -- they could clearly make it more clear ;) Here this is a better write up on it *********** http://technet.microsoft.com/en-us/library/bb742541.aspx Managing Cached Logons Windows 2000 networking is configured so that a user can log on to the network from any workstation on the Active Directory. A problem arises, though, when the network is down for some reason, such as through the inaccessibility of a domain controller. Each Windows 2000 machine, professional, server, or domain controller, stores the last ten user accounts that were successfully used to log on to the network at that workstation. This way, if the network does fail, a user can still log on to some workstation. For security reasons, you may feel that ten is too large a number of logons to cache. You can fine-tune that value using this entry. Root Key: HKEY_LOCAL_MACHINE Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Entry: cachedlogonscount Data Type: REG_DWORD ******* Easy enough to test if your unsure -- just disconnect the laptop and login and out more than 10 times ;) Im like 99.9% sure its unlimited! unless the value is set to 0, then it will not store them. edit: Yup the info sc302 linked to also states it "Determines the number of users who can have cached credentials on the computer." So unless your going to have more than 10 accounts using that laptop while its not connected to the domain you don't have to do anything. Edited November 8, 2010 by BudMan Link to comment Share on other sites More sharing options...
sc302 Veteran Posted November 8, 2010 Veteran Share Posted November 8, 2010 You don't have to do anything special, out the box they will use cached. Are you thinking of the cachedlogonscount value?? 0 to 50, default to 10.. That is for the number of accounts it will cache logins for, not the number of times a user can login ;) I do believe its unlimited.... I had a friend who had her work laptop at home for years, no longer even worked for the company and was able to login with here domain info just fine. Have been using laptops from the old NT days before AD, then with AD both 2k, 2k3 and now 2k8 and have never had an issue with laptop users login. What we have had issues with is them changing the password on the laptop while not connecting to the domain - and then when they come back into the domain they can lock the domain account out ;) Just let your users know now to change the password unless connected to the domain, be it directly or over a vpn, etc. ummmm....yeeah....link i posted has that info. You can sign on an unlimited amount of times, but it caches 10 users....sorry if it sounded like something else. just to be sure we are talking about the same thing and you misunderstanding me...from the link above: Description: Determines the number of users who can have cached credentials on the computer. All previous users' logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they are able to log on . If a domain controller is unavailable and a user's logon information is cached, the user is prompted with a message that reads as follows: Windows cannot connect to a server to confirm your logon settings. You have been logged on using previously stored account information. If you changed your account information since you last logged on to this computer, those changes will not be reflected in this session. If a domain controller is unavailable and a user's logon information is not cached, the user is prompted with this message: The system cannot log you on now because the domain <DOMAIN_NAME> is not available. In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts. Beyond pretty sure I am understanding it they way you are saying it and meaning what it says in the description above, and never thought for 1/1000 of a second that it meant how many times a user could log in when not on the network. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted November 8, 2010 MVC Share Posted November 8, 2010 Im not saying you did sc302, but it can be confusing the way ms words it on some sites. example http://support.microsoft.com/kb/172931/ Through the registry and a resource kit utility (Regkey.exe), you can change the number of previous logon attempts that a server will cache. The valid range of values for this parameter is 0 to 50. A value of 0 turns off logon caching and any value above 50 will only cache 50 logon attempts. By default, all versions of Windows remember 10 cached logons except Windows Server 2008. It can be confusing depending on what article you read, etc. Just wanted to make sure its clear that the user can login using cached for an unlimited number of times, that the setting only reflects the # of users that can do it, not the number of times it can be done. Link to comment Share on other sites More sharing options...
highonsnow Posted November 8, 2010 Share Posted November 8, 2010 Have been using laptops from the old NT days before AD :) Does that mean you've had NT since BC? Link to comment Share on other sites More sharing options...
+BudMan MVC Posted November 8, 2010 MVC Share Posted November 8, 2010 ^ funny ;) Link to comment Share on other sites More sharing options...
garethevans1986 Posted November 9, 2010 Author Share Posted November 9, 2010 lol....Thanks Budman and sc302. GE Link to comment Share on other sites More sharing options...
Recommended Posts