Windows OS Hub
  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / Cached Domain Logon Credentials on Windows

July 29, 2025

Cached Domain Logon Credentials on Windows

Windows saves (caches) domain user credentials locally so users can log in without domain access if needed. This feature enables users to log on to their computers even when AD domain controllers are unavailable or powered off, or when the network cable is unplugged. This article examines the functionality and usage details of Cached Credentials in Windows domain environments.

Contents:
  • Understanding Cached Domain Credentials in Windows
  • Configure Credentials Caching with Group Policy
  • Security Risks of Cached Credentials on Windows Workstations
  • Clearing Cached Credentials on Windows

Understanding Cached Domain Credentials in Windows

A user can sign in to an offline Windows computer with cached credentials if they have logged in successfully on that device at least once before. A hash of the username and password is saved to the registry when the user logs on to a domain computer. If the Active Directory domain is unavailable, Windows compares the entered username and password hash against the local cached credentials stored in the registry. The user is allowed to log on to the computer locally if the hash is found, even if there is no connection to a domain controller.

Using cached credentials allows mobile users to log in to their laptops and access their data even when disconnected from the corporate network.

Cached credentials are stored in the registry under the reg key HKEY_LOCAL_MACHINE\Security\Cache (file %systemroot%\System32\config\SECURITY). Each saved hash is stored in the NL$x parameter (where x is a cached data index).

By default, even the local administrator cannot access this registry key. However, it is possible to view its contents using Regedit.exe if you run it with NT AUTHORITY\SYSTEM privileges using the PsExec tool.

PsExec.exe -i -s regedit.exe

view cached user credentials in registr

The credential hash does not contain the domain username and password in plain text. Instead, a salt is generated based on the username, which is used to decrypt the password hash (the MS-Cache v2 hash/mscash2 format is used). The result is saved to the registry. Passwords and their hashes in clear text cannot be extracted from the registry. Therefore, if an attacker obtains such a cryptographic hash, he will have to use brute force to crack the passwords.

The registry might contain multiple hashes of domain accounts that have previously logged into this computer. By default, the hashes of the last ten (10) users are saved.

Unlike domain passwords, the credentials stored in the registry never expire. They can only be overwritten by a new hash when a user logs in with a new password or when the credential cache limit is exceeded.

If there are no cached credentials in the local cache, the following message will appear when you try to log on to an offline computer:

There are currently no logon servers available to service the logon request.

Windows Logon error: There are currently no logon servers available to service the logon request.

When a user logs on to a computer using cached credentials, an event with Event ID 4624 (An account was successfully logged on) and Logon Type 11 (CachedInteractive) will appear in the Security log. These events can be used to view local logon attempts on a Windows computer. The following logon types are also possible:

  • Logon Type 12: CachedRemoteInteractive – remote connection using cached credentials
  • Logon Type 13: CachedUnlocked – the computer screen is unlocked after a period of inactivity using a cached password.

Event ID 4624: CachedInteractive login

Configure Credentials Caching with Group Policy

Using Group Policy, you can set the number of unique users whose credentials may be saved in the local cache on domain computers.

You can change the maximum number of cached credentials that can be saved using the GPO Interactive logon: Number of previous logons to cache (in case domain controller is not available option (Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options). You can set any value from 0 to 50.

The default value is 10, meaning the registry stores the credential data of the last ten users who logged in.

Setting this to 0 will prevent Windows from caching user credentials. In this case, if the domain is unavailable and a user tries to log on, they will see the error:

There are currently no logon servers available to service the logon request.

Interactive logon: Number of previous logons to cache (in case domain controller is not available) - GPO to restrict using of cached credentials on Windows

This option can also be configured using the REG_SZ registry value CachedLogonsCount in the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogonregistry key.

When logging in with saved credentials, the user does not see that the domain controller is unavailable. With GPO, you can display a notification about logging with cached credentials. To do it, enable the GPO option Report when logon server was not available during user logon policy under the Computer Configuration -> Policies -> Administrative templates -> Windows Components -> Windows Logon Options.

GPO - Report when logon server was not available during user logon

After a user logs on, the following notification will appear in the tray:

A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on might not be available.
This option can be enabled via the Registry:

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/Current Version/Winlogon

  • ValueName: ReportControllerMissing
  • Data Type: REG_SZ
  • Value: 1

Security Risks of Cached Credentials on Windows Workstations

Local caching of user authentication data poses several security risks. An attacker who gains physical access to a computer or laptop with cached credentials can use brute-force to decrypt the password hash. Complicated passwords are more difficult to crack using brute force.

It depends on the length and complexity of the password. If a password is complex, brute-forcing it can take an extremely long time. So, caching credentials for accounts with local administrator (or domain administrator) permissions is not secure.

Disabling credential caching on office and administrator computers is one way to mitigate security risks. For mobile devices, it is advisable to reduce the number of cached accounts to one. In other words, if an administrator logs into a computer and their credentials are cached, the administrator’s password hash will overwrite the cached credentials when the device owner logs in.

The name of the last logon username can be hidden from the Windows login screen.

You can create separate GPOs in your domain to control the use of cached credentials for different devices and user categories (for example, using GPO Security filters, WMI filters, or deploying the CachedLogonsCount registry parameter using GPP  item-level targeting).

  • For mobile (laptop) users: CachedLogonsCount = 1
  • For office desktops: CachedLogonsCount = 0

Such policies will reduce the chance of obtaining privileged user hashes from domain-joined computers.

You can enable BitLocker system drive encryption to protect cached credentials on mobile devices.

You can add administrator (privileged) accounts to the Protected Users built-in domain group (available for domains with a Windows Server 2012 R2 functional level or higher). Saving cached credentials is not allowed for this security group’s members are not permitted.

Users who access their computers with cached logins and then establish a VPN tunnel to the corporate network may experience periodic lockouts of their domain accounts. This can happen if the password stored locally does not match the user’s password in the domain (for example, this could happen if the user has changed their password according to the domain’s password policy settings). To prevent this, configure Windows to run the VPN tunnel before the user logs in.

Clearing Cached Credentials on Windows

To clear cached credentials data, you must delete the NL$## entries from the registry. But doing this manually is not convenient since it requires running the removal command on behalf of SYSTEM.

To clear all saved credentials, enable the Group Policy option Interactive logon: Number of previous logons to cache (in case domain controller is not available) and set the value to 0 (as described above).

Or run the following command in elevated CMD:

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CachedLogonsCount /t REG_SZ /d 0 /f

After running the gpupdate /force command to update the GPO settings, the cached credentials from the registry will be deleted.

Clear cached credentials on windows via cmd or gpo

Then you can either disable the policy or set it back to the default value of 10. After this, the credentials for all subsequent user logons to this computer will be automatically cached.

4 comments
10
Facebook Twitter Google + Pinterest
Active DirectoryGroup PoliciesWindows 11
previous post
How to Check Who Created a User Account in AD
next post
How to Check, Enable or Disable SMB Protocol Versions on Windows

Related Reading

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Repairing the Domain Trust Relationship Between Workstation and...

May 16, 2024

Backing Up Active Directory with Windows Server Backup

November 26, 2024

Unable to Access SYSVOL and NETLOGON folders from...

May 10, 2023

Checking Active Directory Domain Controller Health and Replication

May 15, 2025

Configuring Password Policy in Active Directory Domain

March 12, 2024

Troubleshooting: Group Policy (GPO) Not Being Applied to...

March 15, 2024

Updating Group Policy Administrative Templates (ADMX)

January 24, 2025

4 comments

iamauser June 1, 2021 - 10:53 pm

Does this also affect RDP?
What are the differences client/server-side?

Thx!

Reply
Shlomi June 14, 2021 - 8:00 pm

Lovely guide like always!!
many thanks

Reply
Blog thủ Thuật June 16, 2021 - 1:29 am

Thanks for the guide. Great post

Reply
Mark July 14, 2021 - 12:49 pm

Additionally:

1.) to read the NLS$ entries you need SYSTEM rights, so you are already in god mode, Hacking Admins as Admin is not a hack, you alerady own the system
2.) thinking about utilman.exe/sethc.exe and all other attacks against the offline system: get back to 1.) you do not need cached credentials, you alerady own the system
3.) You own the system, you can disable AV/EDR and run keyloggers waiting for someone logging on as member of the protectect user group

Kudos to Paula: Cached Credentials: Important Facts That You Cannot Miss
https://cqureacademy.com/blog/windows-internals/cached-credentials-important-facts

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Find a Process Causing High Disk Usage on Windows

    July 15, 2025
  • Fix: Microsoft Defender Not Updating Automatically in Windows

    July 8, 2025
  • Create a Windows Server VM on Proxmox (Step-by-Step)

    July 7, 2025
  • How to Detect Which User Installed or Removed a Program on Windows

    June 23, 2025
  • Encrypt Any Client-Server App Traffic on Windows with Stunnel

    June 12, 2025
  • Failed to Open the Group Policy Object on a Computer

    June 2, 2025
  • Remote Desktop Printing with RD Easy Print Redirection

    June 2, 2025
  • Disable the Lock Screen Widgets in Windows 11

    May 26, 2025
  • Configuring Windows Protected Print Mode (WPP)

    May 19, 2025
  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • How to Find the Source of Account Lockouts in Active Directory
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Adding Domain Users to the Local Administrators Group in Windows
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top