Windows Tip: Troubleshooting cached logons
Send your Windows question to Mitch today! | See other Windows tips
When a Windows user with domain credentials logs onto a domain, her domain user credentials are automatically cached on her computer. These cached credentials are stored in the form of the hash of a hash, which means they are virtually impossible to crack and therefore quite secure against cryptographic attack. However, the fact that caching of domain credentials happens automatically can sometimes cause problems for users.
For example, say Susan tries logging on to the domain when she arrives at work in the morning. Her logon appears to be successful and she is presented with her desktop and begins doing her work. But later when she tries saving her work to a shared folder on the network, she finds the folder inaccessible. Network problems? Could be, but then why can she still access the Internet from her machine? Maybe the file server is down. Nope, a quick call to Help Desk determines this is not the case. What's wrong?
The problem could be caused by credential caching. In Windows 2000 and later, when a user tries to log onto the domain but no domain controller is available to authenticate, she will automatically be logged onto her computer using her previously cached domain credentials -- and without any notification that this has occurred. In other words, to Susan it appears that her domain logon has been successful and everything is fine until she discovers that a logon script hasn't run, a share is inaccessible, or some other problem occurs.
How can you determine whether you've either successfully logged onto a domain or are merely logged onto your own computer using cached domain credentials? One way to do this is to use Event Viewer to check your System log for an occurrence of event 5719 around the time when you last tried to log on to the domain. An even easier way to do this is to use the following script I wrote to query the System log on my machine for the most recent occurrence of event 5719:
strComputer = "."
Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'System' " & _
"AND EventCode = " & 5719)
Set dtmDateTime = CreateObject("WbemScripting.SWbemDateTime")
For Each objEvent in colEvents
dtmDateTime.Value = objEvent.TimeWritten
Wscript.Echo "Last logon using cached credentials at " & dtmDateTime.GetVarDate
Exit For
Next
By creating a shortcut to this script on my desktop, I can double-click on the shortcut anytime I want to check whether I may be logged on using cached credentials. For example, if the script displays "Last logon using cached credentials at 6/19/2006 8:31:59 AM" and I recall that I arrived at the office this morning at 8:30 am and turned on my computer immediately, then most likely either our domain controller is down or our network is broken somewhere and I better call Help Desk to troubleshoot.
Related reading:
Are cached credentials secure?
ITworld.com
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
