Domain logon, Windows remembers/caches only 10-11 and I need more.

mrk

mrk

Man of Honour
Joined
18 Oct 2002
Posts
103,832
Location
South Coast
Hi,

I have Googled and Googled but the nature of this problem is somewhat unique in that we have a machine at a remote site where 15 users work shift patterns so have a domain account they log in with over VPN.

The setup:
- The machine is set up locally at company HQ (here) and is wired into the domain (Windows 7 Pro x64 at present, tried XP Pro x86 as well).
- All 15 domain accounts are added to the administrative group through "control userpasswords2".
- VPN is installed and configured, no problems.

The problem:
- The network cable is then unplugged and I then tether a 3G connection via Dongle/Phone to the PC to emulate an external connection so I can test the VPN works for each user.
- 10 users can log on to the PC just fine using their domain account but the remaining 5 cannot as Windows Logon complains that there is "no service available to service the logon request".
- If I reconnect the network cable those 5 users can log on again but upon disconnecting the cable and re-trying a new set of 5 users cannot log in while the remaining 10 can. Same error.

As you can imagine, the users need to be able to log in from the remote site but since the VPN is not connected before logon, the domain controller is not found.

I'm wondering if there's a setting in the Registry that can increase the cached user amount from 10 to a higher number? I have checked the local security policy and could not find anything relevant and Googling brings non related results for the error.

The Event Viewer entry for the logon failure is this:

Event Viewer "System" entry. said:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

ErrorCode 1222
ErrorDescription The network is not present or not started.

That entry is pretty obvious, it failed because the network cable is unplugged, I know this but need all 15 users to be able to log in to the PC using their domain account so that they can VPN in!

Thanks!
 
Last edited:
There is a group policy regarding caching of domain account details. We recently had an issue where a user could not log in because his password had expired and it would not allow him to change it because he could not unlock his pc or something a long those lines. I found a group policy setting to enable caching of domain passwords. Have a look for it.

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Look at the interactive logon options. there is one to set cache limit.
 
Last edited:
Hey cheers!

Just as I came back to check this thread I searched and found a caching entry (see below) that seems to have solved the problem.

Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Entry:
cachedLogonsCount

The default value was set to 10. Bingo!
Increased to 20 and now all good :)

Balance restored :)
 
Back
Top Bottom