Hello, I have an odd situation happening and I think perhaps I need to revisit the methodology I am using. Scenario Windows 7 Professional Laptop joined to Domain Domain - Server 2008 R2 AD Cached Credentials GPO applied to Laptop OU set to 50. Policy is being applied properly to Laptop. User logs in while connected to domain - no issues. After about a week of being away from the office he now gets a "Cannot login because no Domain Controller is found". This user claims that there is no way he has logged on 50 times since it was last in office. If he brings laptop back to office, attaches to network, gets another week before this issue appears again. This causes much grief since the user has a desktop PC that he uses when in the office and these laptops are designed to be used when away from the office. Now I have read multiple different articles on the forum and other sites. There seems to be a disagreement on the GPO setting and its usage. Some posts indicate that this GPO is for the # of users that get cached while other posts indicate that this GPO is for the number of logins while away from the network. Which one is it # of users or # of logins? Is there a suggested method to allow a user to have MORE than 50 login attempts while away from the office? Is there a way to reset this "count" back to zero after connecting to the domain/Is there a way to check what the current count is on the cached logins? Would it be easier to remove these laptops from the domain and have local users with the same password and use pass through authentication? Interestingly enough, the user has access to the network via a Cisco VPN. When attached to that VPN from a hotel/airport/public hotspot the user cannot connect to the "domain controller" and get Group Policy updates. However if that user connects from a home network it seems to work just fine. (I suspect the issue is with the local connection profile being set to "Public" and the VPN profile being set to "Work") Any suggestions? Any input would be appreciated.

To answer your questions: 1. Which one is it # of users or # of logins? You must mean “cached credential”. The number of the cached credential can be defined via group policy. Interactive logon: Number of previous logons to cache (in case domain controller is not available) It can be defined between 0 and 50. 2.Is there a suggested method to allow a user to have MORE than 50 login attempts while away from the office? It is not related to cached credentials. The user account has one cached credential whatever how many times he has logged on. The policy for account login attempt limitation is: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold 3.Is there a way to reset this "count" back to zero after connecting to the domain/Is there a way to check what the current count is on the cached logins? The policy is: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after 4.Would it be easier to remove these laptops from the domain and have local users with the same password and use pass through authentication? No need to exit domain. A local user can still log on although the laptop is a domain member. Interestingly enough, the user has access to the network via a Cisco VPN. When attached to that VPN from a hotel/airport/public hotspot the user cannot connect to the "domain controller" and get Group Policy updates. However if that user connects from a home network it seems to work just fine. (I suspect the issue is with the local connection profile being set to "Public" and the VPN profile being set to "Work") Any suggestions? I cannot be assure whether the different Windows Firewall profiles cause this problem. You may suggest the users to manually change the profile or just disable Windows Firewall and check the result. In some cases, such issue can be caused by firewalls behind the AD hoc or the ISP.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.