question

mahmoudazletni-9256 avatar image
0 Votes"
mahmoudazletni-9256 asked LimitlessTechnology-2700 answered

Can not login with domain account when computer is disconnected

dears

we have a company that works with Microsoft environment we have active directory and domain controller

these days some of users they can't use there laptops out of office until they connect the laptops to vpn via local account user , after that they sign in using domain account

windows-serverwindows-10-generalwindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered GaryReynolds commented

Hi @mahmoudazletni-9256

There is a GPO setting that allows you to define the maximum number of cached credentials that are stored on the machine. Cached credentials allows a user to logon with their domain credentials when not connected to the corporate network. Review this article for more details.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available

Gary.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

what is the policy should i enable ?
in the domain controller server or the laptop

0 Votes 0 ·

Hi

This post has the details on how to create a policy to change the setting http://woshub.com/cached-domain-logon-credentials-windows/

Probably worth having a read of this article on how to use the GPMC - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal

Gary.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi there,

Try removing the computer from the domain, re-join the domain, this will retain all custom configurations.

Additionally, try this too

Computer Configuration > Policies > Administrative Templates > System > Group Policy > "Configure Group Policy Caching" policy setting.

Enable this "Configure Group policy caching". This will allow your laptops to log in to your DC using a cached profile with the same DC credential, even your DC is not reachable.

Also, try,
Computer Configuration > Windows settings > Security settings > Local Policies > Security Options > Interactive Logon : Number of previous logons to cache ( in case domain controller is not available )
Enable Define this policy settings and set 10 logons cache count.



--If the reply is helpful, please Upvote and Accept it as an answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.