Q: How does Windows domain credential caching work, and how can I fine tune it or turn it off?

A: Each time a user logs on from a computer console to a Windows domain, the Windows OS securely caches the user’s domain credentials. This feature lets users log on to the domain when no domain controllers (DCs) are available or when your machine is disconnected from the network. Secure caching means that the system's Local Security Authority (LSA) stores a hash of the password hash in the system registry. In other words, the cached credentials can't be used to derive either the password hash or the original password. The cached credentials are stored in the HKEY_LOCAL_MACHINE\Security\Cache registry key. From a security viewpoint, domain credential caching clearly has risks. Users can intentionally disconnect a local machine from the network, for example, to get around the fact that the administrator disabled the machine’s domain account or to log on to a domain after circumventing certain security policy settings that are enforced via Group Policy Objects (GPOs). Keep in mind, however, that logging on to the domain with cached credentials gives the user access to only local resources.

You can disable cached-account logon sessions and force a user’s machine to contact a DC before the user can log on to the domain. You can do so by using a registry hack or a GPO setting. To disable cached-account logon sessions using a registry hack, create the CachedLogonsCount registry entry of type REG_SZ, and set the value to 0 in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry subkey. To disable credential caching by using a GPO setting, enable the “Interactive logon: number of previous logons to cache (in case domain controller is not available)” setting. This setting is located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options GPO container. You must restart your computer for this change to take effect.

Don't set the number of logons to cache to 0 on mobile users’ laptops. These users would then be unable to log on with their domain credentials when away from the office. Although the CachedLogonsCount registry key doesn’t appear in the registry by default, Windows NT caches a set of 10 domain credentials by default. The maximum value for CachedLogonsCount is 50. When credential caching is disabled and no DC is available, a user can still log on to a machine via a local machine account.

The credential caching discussed in this article should not be confused with Windows Server 2003 and Windows XP’s capability to store user credentials in the user’s profile. The latter feature is known as the “Credential Manager.”