If you enable this setting, does it allow a user to logon to the network with cached credentials that could be expired? So they can then access resources they shouldn't have access to anymore? I realize they can logon off the network, at home for example, with cached credentials, but how do cached credentials operate when connected to the domain network?

Hi, After a successful domain logon, information is cached; this means that later a user can log on to the computer with the domain account even if the domain controller that authenticated the user is not available. Because the user has already been authenticated, Windows uses the cached credentials to log the user on locally. For example, if a mobile user logs on to a portable computer that is a domain member with a domain account and then takes the portable computer to a location where the domain is unavailable, Windows will attempt to use the cached credentials from the last successful logon with a domain account to locally log on the user and allocate access to local computer resources. For reference: http://technet.microsoft.com/en-us/library/cc780332(v=WS.10).aspx Best Regards, Kim ZhouPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Yes, but what if the Domain Controller is available? Can it use cached or will it always authenticate the entered credentials against the DC?

If the DC is available, Windows will not use cached credentials and will authenticate the user against the domain. It is possible in certain scenarios to be connected to the domain but for one reason or another not be able to communicate with a DC and I think Windows will then use the cached credentials (because as far as its concerned there is no DC). However when you try and access a network resource Windows will attempt to authenticate the user again. If a DC is available for this subsequent attempt at authentication and the credentials are incorrect, access will be denied. Regards qSilverx