David,
I have yet to get an authoritative answer from Microsoft,
but I have gotten enough information from sources that I trust implicitly to say
that somehow my testing of this issue was flawed. Either it was my
process, or my setup - regardless all indications are that you are 100% correct
in this.
So, to summarize this in the most professional
manner:
The setting:
"Number of previous logons to
cache (in case domain controller is not available)"
has nothing to do with the NUMBER of times a user can logon
- but is the number of users that HAVE SUCCESSFULLY logged on. Once you
have successfully authenticated, you will be able to logon indefinitely to your
disconnected system. You will be able to access local machine resources
with your last successful username and password.
As it was explained to me - If one travels extensively and
does not re-authenticate to their domain on a regular basis, what would you set
this number to? As I remember, the upper limit is 50, which woefully
inadequate for even a short business trip in many people's
case.
You know, it's bizarre, but now that I look at that line -
I now wonder how I could think it was anything else. Given that something
in my test setup at that time returned false results may have swayed my
thinking..... ;o)
My apologies if I led anyone astray - it's all educational
to some degree or another. And, that includes, me, as
well.
Rick
Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Monday, August 25, 2003 11:00 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Number of Interactive Logons
Rick -
I'm not trying to beat a dead horse here...just want to make sure I understand
how it really works. Since I trust your experience, I had to figure out
where my testing went wrong. So I redid it. Multiple times. I
haven't hit Ctrl-Alt_del so many times at a sitting since Windows 3.1
:)
Problem is, the results were the same as I got before, which does not
square with your results. I set the parameter at 2, and found that only
the last 2 logons were cached, but that I could use them more than 2 or 3 or
even 10 times while disconnected. Actually, I stopped at 16 successful
logins for each of those accounts.
Then I
set it at 3 and started all over. Again, only that number of logins were
cached, but I was able to log in with each of them 16 times, which is where I
stopped.
Both
workstation and DC are Win2K, SP4.
Clearly, something is different between our two environments, since all
your accounts were cached, but none of them could go beyond 11 logins while
disconnected. Since you picked the number 11, I take it that you left the
policy setting in question at its default of 10 ?
Regarding your hope that "Microsoft can be deemed authoritative", I
echo Ken's comments from Saturday that some of those documents seem
contradictory. One would hope that all of the documantation would exactly
reflect product design and behavior, but I can't ignore what I see in actual
practice either. Perhaps there's yet another setting (other than Number of previous logons to cache (in case domain
controller is not available) ) that could be at work
here ???
Dave
-----Original Message-----
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Friday, August 22, 2003 6:22 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Number of Interactive LogonsAnd the correct answer is.....Not correct.Look at this: (because the way that I wavered this morning - I'm not realiable)Please let this resolve this and close off this thread. I'm hoping that Microsoft can be deemed authoritative.Oh, and by the way - I tried this, David. I login 10 times, and it tells me that, basically, I can't login anymore because a DC cannot be contacted on the 11th try. I have 11 dummy users (hmmmm... Maybe I'm the dummy user.) and each of the 11 get 10 attempts and are denied on the 11th.Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Friday, August 22, 2003 5:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Number of Interactive LogonsAnd the correct answer is....This setting has nothing to do with how many times a given user can log in when no DC is available. It has everything to do with how many users will have their credentials cached on the workstation while it is connected.Try this simple experiment in the lab. Set the policy in question to a value of 2. Make sure a workstation applies the GPO, then log in and out as several different domain users.Disconnect the workstation from the network. Try logging in as each of those users. You will find that you can log in with the credentials of the last two users, but none of the ones before that. The two that DO work will work as many times as you like.The value of 2 in the policy simply means it caches the credentials of the last two unique individuals that logged in, and any credentials previously cached 'roll off'. The credentials that remain in the cache are valid forever once you disconnect from the network.Now, as to the original question - a value of 10 or 50 makes little difference if less than 10 individuals ever need to use the same machine. If no one should ever log in when disconnected, setting it at 0 can ensure that no one can do so. A value of 1 is probably adequate for a laptop that's used by one person only. However, if the last person that logged in was not the person that just grabbed it to take on the plane, you will have an unhappy road warrior. Probably best to have at least a value of 2 in case an admin needs to do something with it while disconnected. 50 sounds like overkill - if you have 50 people sharing a portable PC, maybe you might be a tad on the frugal side !Have a good weekend.Dave-----Original Message-----
From: deji Agba [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]
Sent: Friday, August 22, 2003 1:33 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Number of Interactive LogonsOK, Rick, I am confused (as usual ;))Are you thanking Jens for his interpretation of the question? That this has to do with the number of "people" logging onto the network when the DC is down? As pointed out previously, "cached logon" has nothing to do with this at all. It is the number of successful logons/passwords that a client had made to the network. am I the one misunderstanding the question?Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Fri 8/22/2003 6:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Number of Interactive LogonsJens,Thanks for jarring my tired and very overworked noggin. Correct - it is the number of cached credentials from users who have alredy logged in. But allowing 50 in any kind a secure computing environment is insane. Yes, they must have logged on there before, but what is the liklihood that one of those passwords is going to be quite crackable or guess-able. As the number of users increases, the potential for compromise increases.Given that if one of these boxes can be physically tampered with, the ability to dump information and crack it off-line is becoming more of a reality. Reference the Knoppix STD CD, for example.I'm still on board with my earlier statement. 50 is over the top, 10, IMHO, is too many.Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schwipper, Jens
Sent: Friday, August 22, 2003 8:01 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Number of Interactive Logonsif there 50 persons would like to logon in the time where the DC is down its okaybut this 50 persons must have already loged on bevor the DC goes down (data in cache)i think it's not necessary for a normal user workstation where unusually loged on a other personjens-----Original Message-----
From: De Schepper Marc [mailto:[EMAIL PROTECTED]
Sent: Freitag, 22. August 2003 13:41
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Number of Interactive LogonsHey all,I would like to have some feedback of the following Policy setting:
Interactive logon: Number of previous logons to cache (in case domain controller is not available) *************************************************************
Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen.
This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents.
*************************************************************
