There is no easy way to do it that i know off. You would have to create a logon script that would parse though logon events through event viewer providing that you have enable auditing for logon events. Other then "Interactive logon: Number of previous logons to cache" i don't know of any other GPO setting that you can use. http://technet.microsoft.com/en-us/library/cc755473(v=ws.10).aspx

I am looking to notify users when they have been using cached credentials to log into their laptop for too long (however I define that). I don't want to prevent them from using the machine with cached credentials, but I'm OK with annoying them until they do bring it in. :) I figure a locally stored script is necessary. I want to have it run at every authentication event (either login or unlock). I'm unsure how to accomplish a couple pieces: check if a user is authenticating with cached credentialsdetermine how long it has been since that user logged in while "within sight" of the DC to actually authenticate their login I'm really stuck at how to do (1). If there is a built-in method of doing (2), I would love to hear it, but I can always just store a date somewhere to be compared against. Thanks for any suggestions you can offer.

There is no easy way to do it that i know off. You would have to create a logon script that would parse though logon events through event viewer providing that you have enable auditing for logon events. Other then "Interactive logon: Number of previous logons to cache" i don't know of any other GPO setting that you can use. http://technet.microsoft.com/en-us/library/cc755473(v=ws.10).aspx

Thanks for the answer, and I'm sorry to be thick-headed, but no easy way to do what? No easy way to run a script at every authentication attempt? Couldn't a scheduled task be established that runs after certain events IDs? No easy way to check if a user is authenticating with cached credentials? How does windows do it? Can't I do it the same way? No easy way to determine how long a user has been authenticating with cached credentials? This I am assuming, but I think I can store/overwrite the date in a dummy HKLU registry key each time a login is authenticated with a DC, and then compare the date with any subsequent attempts. That should work, right?

No easy way to get that information from the system on how did they authenticated localy or against domain. You can try to achive that with custom scripting but i don't know of any built-in method. The registry key thing might work, but i think you would have then to set it on with logon script and change the value with log off script. For exp. set LogonType=DC on logon set LogonType = "" on log off This way if the key wasn't set then probably there is no DC and Group policy and therefore expect value will be LogonType="".

In poking around, I see several, older references to comparing %logonserver% with %computername% as a valid way to check for cached login. When I do that in Win7 while booted and logged in via cached credentials (due to a disconnected network cable) however, my %logonserver% is the PDC of the user account's domain. The computer account is in a subordinate domain. Is this a new thing? I also find references to a "Login Type 11", but while I can find those entries in the security log, I don't know how to exploit them. Powershell needs elevation to see the security log, and I don't see a way to trigger a scheduled task on the Login Type. Were these already part of your consideration that there is no easy way? Thanks.

In poking around, I see several, older references to comparing %logonserver% with %computername% as a valid way to check for cached login. When I do that in Win7 while booted and logged in via cached credentials (due to a disconnected network cable) however, my %logonserver% is the PDC of the user account's domain. The computer account is in a subordinate domain. Is this a new thing? I also find references to a "Login Type 11", but while I can find those entries in the security log, I don't know how to exploit them. Powershell needs elevation to see the security log, and I don't see a way to trigger a scheduled task on the Login Type. Were these already part of your consideration that there is no easy way? Thanks.

Yes, if a user log on with cached credential, you can find a event 528 with logon type 11 in the security event.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.