Group Policy password caching

Federico Coppola 1,181 Reputation points
2020-09-15T22:32:48.61+00:00

Hello,
I found out that Windows (In my case computer has got Windows 10) store and cache last 10 credentials to permit to login inside computer if there is not domain controller.

Is it possible that domain computers store just last credential and not last 10 credentials?

How can I do it?

Cloud be a vulnerability store last 10 credentials in clients?

Thanks for your suggestions and support
Federico

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,638 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,721 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,728 questions
0 comments No comments
{count} votes

Accepted answer
  1. Fan Fan 15,281 Reputation points Microsoft Vendor
    2020-09-16T00:33:09.97+00:00

    Hi,

    This cached number can be set through the policy : Interactive logon: Number of previous logons to cache (in case domain controller is not available) security policy setting under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

    It can be only set for the workstations , it will not work on the DCs.

    You can change this number as you required.Such as 2 for the security reasons.

    If you configure the Interactive logon: Number of previous logons to cache (in case domain controller is not available) setting to 0, which disables the local caching of logon information.The impact is that users cannot log on to any devices if there is no domain controller available to authenticate them.
    For more information ,you can refer to the following link:https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available

    ================================================================================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Federico Coppola 1,181 Reputation points
    2020-09-16T04:28:25.647+00:00

    Hi @Fan Fan ,
    Thanks for your help!

    I don't want set this settings as 0 due to there are really many laptop inside customer company and sometimes this laptop will be used outside company.

    I would that all client laptop "store and cache" just their users credentials, so I can change "Number of previous logons to cache" as 1.
    Is right my opinion about set this value to 1?

    Are there other solutions to get my idea?

    Thanks


  2. Federico Coppola 1,181 Reputation points
    2020-09-16T20:29:09.577+00:00

    Thanks so much for your opinion and help!

    Federico

    0 comments No comments