Disabling cached logons in 2000 and XP

Question

How do I stop users logging on locally without the network?

Symptoms

N/A

Resolution

Instructions

There is a feature on Windows 2000 and XP workstations that allows users to log into a machine using their network username and password even though the Domain controller is not present.

Called "cached logons", this feature is by default set to 10, thus allowing the last 10 users to potentially log on to a machine locally simply by removing the network cable.

This setting is controlled by a registry entry and can be set on each machine via the Local Policy MMC (Accessed via Control Panel Administrative tools).

Change the setting to 0 and reboot.

Alternatively, the following lines can be added to the PreshellNT.rrg file in the server's Ranger directory.

;-------------------------------------------------------------------------------------

;This line disables cached logons in 2000 environment thus stopping users logging on locally
;with their network username/password to a Windows 2000 or XP workstation with the
;network cable unplugged.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
"cachedlogonscount""0"

;-------------------------------------------------------------------------------------

This will change the appropriate registry key to a safe value each time a user logs in.

Note: This change is incorporated by default in releases after Ranger 4.3.

Testing

Attempt to logon with the network cable removed.