Nope - I'm confused. I'm officially correcting my correction. The number of cached logons specifically means that if _IF_ you have logged on to a given system before AND the DC is not available, you will have X logons to that system (by default, X=10). This has nothing to do, as I incorrectly stated, with the NUMBER of CACHED USERS. If you have not logged on to the system before and the DC is not available - you WILL NOT be able to logon regardless of the setting discussed. This will only allow users who have logged before to log on to the system in the event that a DC is not available to authenticate credentials. (Excuse my inability to carry on a coherent thought this morning....... This week has been absolutely whacked. I guess I'm a bit whacked, too. But, for those of you that know me - that's nothing new. :) ) And, to that, I still suggest the number be 0. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 22, 2003 1:33 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Number of Interactive Logons OK, Rick, I am confused (as usual ;)) Are you thanking Jens for his interpretation of the question? That this has to do with the number of "people" logging onto the network when the DC is down? As pointed out previously, "cached logon" has nothing to do with this at all. It is the number of successful logons/passwords that a client had made to the network. am I the one misunderstanding the question? Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _____ From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Fri 8/22/2003 6:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Number of Interactive Logons Jens, Thanks for jarring my tired and very overworked noggin. Correct - it is the number of cached credentials from users who have alredy logged in. But allowing 50 in any kind a secure computing environment is insane. Yes, they must have logged on there before, but what is the liklihood that one of those passwords is going to be quite crackable or guess-able. As the number of users increases, the potential for compromise increases. Given that if one of these boxes can be physically tampered with, the ability to dump information and crack it off-line is becoming more of a reality. Reference the Knoppix STD CD, for example. I'm still on board with my earlier statement. 50 is over the top, 10, IMHO, is too many. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schwipper, Jens Sent: Friday, August 22, 2003 8:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Number of Interactive Logons if there 50 persons would like to logon in the time where the DC is down its okay but this 50 persons must have already loged on bevor the DC goes down (data in cache) i think it's not necessary for a normal user workstation where unusually loged on a other person jens -----Original Message----- From: De Schepper Marc [mailto:[EMAIL PROTECTED] Sent: Freitag, 22. August 2003 13:41 To: [EMAIL PROTECTED] Subject: [ActiveDir] Number of Interactive Logons Hey all, I would like to have some feedback of the following Policy setting: Interactive logon: Number of previous logons to cache (in case domain controller is not available) The default is 10, but our Security people would like to put it on 50. Does anyone have some arguments not to use 50? Marc ************************************************************* Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. *************************************************************
<<attachment: winmail.dat>>
