How does Windows authenticate domain users without a network connection?

5

4

If you have logged on to a Windows machine as a domain user at least once, you can logon to that machine again even if the machine no longer has a network connection.

How does this work? I assume Windows caches the password somewhere and then authenticates the user. If this is the case, does anyone know where its cached?

Isnt this insecure? Assuming the domain admin forced a password change or removed a user, this 'loophole' will still allow the user to logon to the machine.

bobbyalex

Posted 2013-02-20T08:33:54.707

Reputation: 443

This is insecure and it can be used as a loophole. If you don't anticipate a need for caching, cached logon should be disabled. There are many instances where I have on-purpose disconnected the Ethernet cable, logged in, and then reconnected the Ethernet cable after the desktop loaded, specifically to avoid logon-related issues – InterLinked – 2017-07-19T17:43:55.233

1Windows store a hash of the password, or more precisely a hash of a hash of the password. Generally speaking, if you have physical access to a machine you can always bypass the logon security anyway, so it doesn't really matter. In the rare situations where it does, the administrator can disable the functionality as Mayank has already explained. – Harry Johnston – 2013-02-28T02:44:23.827

Answers

8

  1. Windows will cache your account information locally once you login to the machine once.
  2. If the next time you try to login the DC can't be reached it will use the cached settings. This might be useful for laptops which might be needed to work off the network.
  3. About the security issues, when you logon to Windows by using cached logon information, if the domain controller is unavailable to validate your account, you cannot access network resources that require domain validation. However, you can access network resources that do not require domain validation.
  4. (for server 2k8) There is a GPO to control logon caching- Interactive logon: Number of previous logons to cache (in case domain controller is not available). You can find it under [Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options] 4.

Shurmajee

Posted 2013-02-20T08:33:54.707

Reputation: 410

You can also find this setting in the registry of the individual machine: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] CachedLogonsCount = 10. Change to zero to disable the feature (group policies may override this setting, I'm not sure). – Dan – 2016-03-09T20:39:28.480

Asked: 2013-02-20T08:33:54.707

Viewed: 22 425 times

Active: 2013-02-20T08:56:59.123