-----Original Message-----
From: deji Agba [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]
Sent: Friday, August 22, 2003 1:33 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Number of Interactive Logons

OK, Rick, I am confused (as usual ;))

Are you thanking Jens for his interpretation of the question? That this has to do with the number of "people" logging onto the network when the DC is down? As pointed out previously, "cached logon" has nothing to do with this at all. It is the number of successful logons/passwords that a client had made to the network. am I the one misunderstanding the question?

Sincerely,

D�j� Ak�m�l�f�, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon

From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Fri 8/22/2003 6:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Number of Interactive Logons

Jens,

Thanks for jarring my tired and very overworked noggin. Correct - it is the number of cached credentials from users who have alredy logged in. But allowing 50 in any kind a secure computing environment is insane. Yes, they must have logged on there before, but what is the liklihood that one of those passwords is going to be quite crackable or guess-able. As the number of users increases, the potential for compromise increases.

Given that if one of these boxes can be physically tampered with, the ability to dump information and crack it off-line is becoming more of a reality. Reference the Knoppix STD CD, for example.

I'm still on board with my earlier statement. 50 is over the top, 10, IMHO, is too many.

Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schwipper, Jens
Sent: Friday, August 22, 2003 8:01 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Number of Interactive Logons

if there 50 persons would like to logon in the time where the DC is down its okay

but this 50 persons must have already loged on bevor the DC goes down (data in cache)

i think it's not necessary for a normal user workstation where unusually loged on a other person

jens

-----Original Message-----
From: De Schepper Marc [mailto:[EMAIL PROTECTED]
Sent: Freitag, 22. August 2003 13:41
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Number of Interactive Logons

Hey all,

I would like to have some feedback of the following Policy setting:

Interactive logon: Number of previous logons to cache (in case domain controller is not available)

The default is 10, but our Security people would like to put it on 50.

Does anyone have some arguments not to use 50?

Marc

*************************************************************

Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen.

This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents.

*************************************************************

RE: [ActiveDir] Number of Interactive Logons

Reply via email to