"local" and "remote" login credentails for Windows domain accounts

1

After the first login with a domain account (in my case Win10 as client and WinServer2016 as domain controller) a profile will be created on the local PC. This way even I'm not connected to the domain controller I can log on with the same credentials.

Sometimes, I assume because there is a problem with the LAN connection, Windows seems to use the local credentials.

Is there a way to check if Windows logged in through the "local login credentials" or logged in through the domain controller? Preferably through the event log so I can see past logins as well but I take any solution. Thanks!

Albin

Posted 2019-11-15T10:25:10.507

Reputation: 3 983

Answers

1

Run klist immediately after logon. If the system was able to reach a domain controller (KDC), you will have a Kerberos TGT (labelled Server: krbtgt/FOO in the list) and probably several per-service tickets.


Note that if network access returns sometime later, then Windows will automatically acquire a TGT whenever it is needed (as long as your logon password is still valid). So if you're inspecting a session that is no longer fresh, then the presence of a Kerberos TGT depends on whether it was used recently for authenticating connections and won't indicate anything about cached credentials.

user1686

Posted 2019-11-15T10:25:10.507

Reputation: 283 655

thanks, I'll have to read up a little bit on klist, to see if that solves my problem, I'll let you know if it works for my context +1 – Albin – 2019-11-17T16:08:32.090

Asked: 2019-11-15T10:25:10.507

Viewed: 28 times

Active: 2019-11-16T09:57:42.873