How to remove saved domain credentials from a workstation

Question

I am facing an issue that concerned with Domain Users locally cached logon passwords and how to reset it.

as simply sometimes I provide one of the remote sites IT Admins temporary accounts with elevated privileges to do some tasks and after that I disable or change the account password that I recently gave to them

but I found that  after some time they log on using the old password while having same privileges by unplugging PCs from network  and logging using the windows cached credentials and hence they can do what ever they want without permission.

So I need to know how can I reset the logging passwords that windows caches locally whenever a domain account logs on to a PC.

so I need that the next time any user uses the PC,it will ask him for the password and if he supplied an old one or supplied disabled account credits then PC  denies logging for him

Answer 1

Using Group Policy Editor

run gpedit.msc

Navigate to the following path:

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options

Look for the policy named "Interactive logon: Number of previous logons to cache (in case domain controller is not available)." Double-click on it to open the settings.

Set the value to 0. This means that no previous logons will be cached.

Click "OK" to apply the changes.

---

hth

Marcin

Answer 2

Hi Jdubbs,

Thanks for your reply. When you log on to Windows by using cached logon information, if the domain controller is unavailable to validate your account, you cannot access network resources that require domain validation. However, you can access network resources that do not require domain validation.

Through the Registry Editor or a Registry Console Tool (reg.exe), you can change the number of previous logon attempts that a server will cache. The valid range of values for this parameter is 0 to 50. A value of 0 turns off logon caching and any value above 50 will only cache 50 logon attempts. By default, all versions of Windows remember 10 cached logons except Windows Server 2008.

For information about how to edit the registry, view the Changing Keys And Values online Help topic in Registry Editor (Regedit.exe) or the Add and Delete Information in the Registry and Edit Registry Data online Help topics in Regedt32.exe. You must back up the registry before you edit it.

Cached logon information is controlled by the following key:

• Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
• Value name: CachedLogonsCount
• Data type: REG_SZ
• Values: 0 - 50

Reference: Cached domain logon information - Windows Server | Microsoft Learn

Best Regards,

Ian Xue

---

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 3

Jdubbs,

perhaps a function with a special group will suit your task - Protected Users in Active Directory:

• The system doesn't create a cached verifier at user sign-in or unlock, so member systems no longer support offline sign-in.

https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group