cached login for users
I am having an issue where computers are not contacting the domain controllers and authenticating users. We would like to keep cached credentials present as to allow users to still have access to their computers in case of a network failure, but would like to have users authenticated every so often. I know by default cached mode is enabled on all Pc's. We would like to know if there is a way to say have the computers reconnect to the domain controllers on a daily basis. We also have that issue where we run a check on active computers and many show up as being in active even if we disable those computers they can still login in to the domain with out issues unless a new user attempts to login. I know via group policy you can disable the cached mode but the thing is if our network ever went out and we all know its bound to happen, users would also be locked out from using basic applications such as word and excel while we wait for the network. The reason i ask is that recently we added home directories to a group of users and well they were not able to access the shared drive since it was not visible. We had to either removed the profile and have it get recreated or remove the cached mode setting. I was wondering if there was a simple way of having the computers just report every so often. Tony E.
March 3rd, 2008 7:45pm

Hi, <<I am having an issue where computers are not contacting the domain controllers and authenticating users.>> For narrowing down this problem, could you perform the following: 1) Please "ping" DC from client if it's successful. 2)what exact message does it show up? << We would like to know if there is a way to say have the computers reconnect to the domain controllers on a daily basis>> Cached logon behavior can be controlled by the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\ ValueName: CachedLogonsCount Data Type: REG_SZ Values: 0 - 50 However, based on my research, we couldn't let the computers reconnect to the DC on a daily basis. << The reason i ask is that recently we added home directories to a group of users and well they were not able to access the shared drive since it was not visible. We had to either removed the profile and have it get recreated or remove the cached mode setting.>> When Fast Logon Optimization is enabled, all user logons are cached. The user's logon information is updated after logon, which means that changes to user object properties, such as adding a roaming profile path, home directory, or user object logon script, will not be detected until the second logon. At the second logon, the system detects that the user has a Roaming User Profile or user object logon script, and disables the Fast Logon Optimization for that user. (However, the user's computer could still experience fast boot.) So I suggest trying to logon the computer twice. Alternatively, you can disable Fast Logon Optimization. About how to enable or disable Fast Logon Optimization: ================================ Description of the Windows XP Professional Fast Logon Optimization feature http://support.microsoft.com/kb/305293/en-us <<I was wondering if there was a simple way of having the computers just report every so often>> I am a bit unclear about this.Could you please explain it more? If my answer doesn't meet your request, please post the questions one by one. I will follow up. Best wishes --------------Morgan Che Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
March 4th, 2008 2:10pm

Would the fast logon optimization also force the computer to communicate with our domain controllers. The basis for this part of the question is that recently we ran a scan to move all inactive computers over to the proper OU and then at a later time depending on how long it has been remove them from A.D. Well we moved the computers and then disabled all that we found. Well turns out that there are many computers that are still actually connected to the domain. We verified this when we had one of our techs login to a computer that was still active though it said it had been inactive for about a year. This means that this computer had not communicated back its status to the domain controller in that area. I know in part this could be as result of cloning procedures in place, but what about the countless other computers where the O.S. was installed properly. We will be trying the two login thing to determine if we need to disabled the fast logon thing or if it will be taken care of with the two logins. As far as the first question goes. We have ping/ICMP disabled on our network, this as a result of virus activity some time behind. I know we currently do not have group policy running as a result but that is another matter. hopefully we can resolve the pinging issue as we will be discussing this with our network team in the near future. Thanksin advance, Tony
March 4th, 2008 7:43pm

Hi, How many domain controllers are there in this domain? Is replication working between all domain controllers? I've seen this happen when computer accounts are disabled on one domain controller, but that change never replicated to the others thus allowing the machines to communicate to AD. - J
Free Windows Admin Tool Kit Click here and download it now
March 6th, 2008 5:10am

Well we do have 7 domain controllers over different locations but they are all replicating correctly. We verified this when we started having this issue. We even made the changes to the D.C. the computers in question we suppose to be contacting. Tony
March 6th, 2008 5:12pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics