My group manages about 50 offsite laptops. We know that Windows 2000 Server controls or limits cached logons to 50 or fewer. We set the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry subkey's cachedlogonscount value to 50, but we understand that the oldest cached logon is dropped whenever a domain controller (DC)­validated logon (in our case, a VPN-client logon) occurs. Will Windows logons eventually fail for offsite laptops that don't have a means to validate to a DC every now and again?

The cached logon feature doesn't drop logons as they age, it simply securely caches the credentials of the last x secure domain logons. When users are disconnected from your DCs, they can still log on to their workstation using their domain credentials as long as they've logged on to that workstation with those credentials within the last x times someone logged on to that workstation with a domain account. In most cases, a laptop is used by one person, so every logon is by that one person's domain account--which means that all x cached logons are the same. So don't worry about it. Even if your users log on without a DC more than 50 times in succession, they won't run into any problems.