How can I clear cached domain credentials?
Solution 1
David Yu's answer is pretty much on-target, but there is a way to do this without editing the registry directly. Again though, this will only work if the setting is not configured by GPO.
First, I'd like to point out where the cached credential data is stored. This will help demonstrate (and, for troubleshooting purposes, verify) the effect of the configuration changes.
WARNING: I found this information in several places on the Internet, most of which recommended against modifying these values manually.
The registry key that stores cached domain logins is hidden even from Administrators. It is only accessible by the SYSTEM account. Therefore, to view it you will need a tool like psexec (available from Microsoft, but not installed by default) which will allow you to run regedit as SYSTEM. The command line to do this (assuming it is installed, and in your %PATH%) is:
psexec -d -i -s regedit
Once you're in there, navigate to HKLM\SECURITY\Cache\. Here, you should see several BINARY values. There will be one named NL$Control, and others named NL$## for each slot that you have available for cached credentials. (Default 10)
Again, I want to emphasize here that you should not manually modify or delete this key or its values.
So, now that we know where the data is cached, and that we should not touch it there, how do we clear it?
Again, David Yu's answer will point you to the right registry key. But, if you'd rather not modify the registry directly, there is another way to do this via the Local Security Policy.
secpol.msc
In the Security Settings tree, navigate to Local Policies\Security Options. Here will be a policy called Interactive logon: Number of previous logons to cache (in case domain controller is not available).
By default this is set to 10 logons. To clear the cache, set it to zero and click OK. On Server 2008, this will take effect immediately. For Server 2003, you will need to reboot. The affect can be seen in HKLM\SECURITY\Cache\ where there will no longer be any NL$## values.
To re-enable credential caching, edit the same Policy to reflect your preferred value and hit OK. Again, if you're on Server 2008, this will take effect immediately. Server 2003 will require a reboot. Note that, if you are doing this on Server 2008 and you have not logged off or rebooted yet, you can see that the cache slots have been restored but no actual data is in them.
Doing this without logoff or reboot in Server 2008 can be useful if you want to just do a quick, one-time check of whatever function requires temporarily-disabled credential caching. It also helps ensure you don't forget to revert the change after your next login.
Solution 2
You could modify the registry of the system to disable cached logon credentials. Set the registry key to 0. This will require a reboot after each change. This also assumes you don't have a GPO that sets this key.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\
ValueName: CachedLogonsCount
Data Type: REG_SZ
Values: 0 - 50
Solution 3
The way to modify cached credentials stored is (oddly enough) by modifying the security options\Interactive logon: Number of previous logons to cache policy via group policy editor (gpedit)
Related videos on Youtube
01 : 01
14 : 12
02 : 43
02 : 13
06 : 01
Iszi
This is a canary message, to be removed in the case of my death. If you're reading this, I haven't died yet. Then again, how would you know? I mean, how could I possibly delete this message after my own demise? You know what? Just go ahead and assume I'm dead. Any posts appearing to be made by me are from an impostor who's stolen my identity post-mortem, and only further prove the fact that I am dead. After all, why would I even think to post a canary message if I was expecting to be alive to remove it anyway? In any case, I'm still not the droid you're looking for.
Updated on September 18, 2022Comments
-
Iszi over 1 year
Related: How can I enable domain authentication over wireless in Windows 7/2k8?
To test the domain login over wireless connection feature I'm trying to set up in the above question, I need an account that hasn't had its domain credentials cached on the local system. Unfortunately, there's only so many people in my office who might help me test this, and even then I'd rather not bother them for it. So, I'd like to be able to clear my own cached credentials after each login.
How can I clear the local cache, while still retaining the ability to cache credentials in the future?
-
Iszi about 12 yearsKeep in mind that this change would have to be reverted later, if you want to retain credential caching after testing is done. Reverting the change will not restore old cached credentials, but it will allow you to cache new logons.
-
Yanick Girouard about 12 yearsI fear David's answer is the best you can get. There doesn't seem to be a way to "clear" cached domain logons for a single user other than by disabling them altogether by setting this registry value to 0.
-
Iszi about 12 years@YanickGirouard There is an easier way, which doesn't require a reboot or raw registry edit - at least, not on Server 2k8. I'd already figured it out by the time I posted this question, but thought I'd give some time for someone else to post it. If nobody else has done so, I'll probably post my answer later today.
-
Yanick Girouard about 12 yearsPlease do post your answer and accept it as soon as you can. That's what these forums are all about: sharing knowledge! Thank you :)
-
Iszi about 12 years@YanickGirouard That's why I posted this thread, so that the knowledge could be shared. I like to share the rep too though, if anyone cares to take the opportunity. I'm gathering screenshots for my answer now.
-
Iszi almost 9 yearsYour assumption about "the last few NL$" is invalid, unless you have done thorough testing. It's more likely that you simply haven't had 10 or more (or whatever the cache limit is set to) users log into the system since the last time the cache was cleared. That said, if you're really feeling adventurous enough to modify these values "manually", you could write a fairly simple script with PowerShell to handle it (run as SYSTEM of course) instead of having a big .reg file that you'd need to manually adjust depending on system configuration.
-
Iszi almost 9 yearsThis removes the RDP client's "memory" of credentials, but it does not clear the cache from the target system.
