Analysis: Require Domain Controller Authentication to Unlock Workstation

Security
Published Jan 26, 2012 Updated Dec 17, 2022

Among the many security options that are configurable via Group Policy, there is a setting Interactive logon: Require Domain Controller authentication to unlock workstation. For security reasons, this is often enabled. Let’s have a closer look at the implications. Those are different from what one might think because the name is a little misleading.

What Does it Do?

By default, when a locked Windows computer is unlocked, it does not communicate with a domain controller. It validates the password against its list of locally stored cached credentials. Enabling Require Domain Controller authentication to unlock workstation does not change this, at least not if the computer is offline. If no domain controller can be reached, the computer still uses its locally cached credentials to authenticate the user.

Only when the computer is online does enabling Require Domain Controller authentication to unlock workstation change the system’s behavior. In that case, it tries to communicate with a domain controller. If that attempt succeeds, it performs additional checks, for example, if the account is disabled.

[random lady](http://www.flickr.com/photos/ritwikdey/582149018/) by [ritwikdey](http://www.flickr.com/photos/ritwikdey/) under [CC](http://creativecommons.org/licenses/by/2.0/deed.de) — random lady by ritwikdey under CC

Securing the Lock Screen

If you want to force communication with a domain controller when users need to be authenticated, the list of cached credentials needs to be disabled. To do that, set the following security option to 0: Interactive logon: Number of previous logons to cache (in case domain controller is not available). That severely limits the usefulness of affected computers in mobile scenarios, though.

Conclusion

The policy Interactive logon: Require Domain Controller authentication to unlock workstation should rather be called Do not use cached credentials when unlocking workstations when a domain controller can be reached. The usefulness of this setting on clients is overrated. It can be valuable to secure terminal servers, though, where end users do not have access to the physical machine.

Authentication Domain Controller Group Policy Logon Screen Saver

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Related Posts

How Group Policy Impacts Logon Performance #1: CSEs

How Group Policy Impacts Logon Performance #1: CSEs

This article is based on my Citrix Synergy 2015 session and is the first in a mini-series on Group Policy performance. All measurements by uberAgent on Windows Server 2012 R2 with Citrix XenApp 7.6 in a steady state.

Performance/Sizing

Finding (Executables in) User-Writeable Directories

Finding (Executables in) User-Writeable Directories

This article presents two different detection types for insecure filesystem permissions on Windows endpoints: scanning for directories that are user-writable, and detecting processes that are started from user-writeable directories. Directory Scan With ListUserWriteableDirectories & SetACL My ListUserWriteableDirectories script is an implementation of the first detection type: it scans the filesystem listing any permissions not known to be safe.

authentik: Authentication, SSO, User Management & Password Reset for Home Networks

authentik: Authentication, SSO, User Management & Password Reset for Home Networks

This is my second article on how to set up a modern user management and authentication system for services on your internal home network. In the previous article, I used Authelia as IdP. I looked for an alternative and explored authentik because I had some trouble getting OpenID Connect to work with Authelia. I figured it out eventually, but in the meantime, I’d already completed the authentik configuration, so here is the documentation of an alternative SSO implementation.

Home Automation, Networking & Self-Hosting

Docker Monitoring With Prometheus, Automatic HTTPS & SSO Authentication

Docker Monitoring With Prometheus, Automatic HTTPS & SSO Authentication

This article, effectively part 2 of my Grafana setup guide, explains how to set up Prometheus, Node Exporter, and cAdvisor with automatic HTTPS certificates (via Caddy) and OAuth single sign-on (via Authelia). This post is part of my series on home automation, networking & self-hosting that shows how to install, configure, and run a home server & network with dockerized or virtualized services.

Home Automation, Networking & Self-Hosting

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Scripted WordPress to Hugo Migration

Scripted WordPress to Hugo Migration

After having published in WordPress for almost 20 years, it was time for a change. This site is now rendered by Hugo, a static website generator built for Markdown content hosted in a Git repository. The migration from WordPress (HTML) to Hugo (Markdown) was far from trivial. Since I couldn’t find any tool for the job, I developed my own set of migration scripts that fully automate the migration process. You can find them on GitHub along with extensive documentation.

Mitsubishi Heat Pump Data in Home Assistant via Modbus

Mitsubishi Heat Pump Data in Home Assistant via Modbus

This article shows how to get detailed information about your Mitsubishi heat pump’s status and operations into Home Assistant. Prerequisites You’ll need a Mitsubishi Modbus interface, either the older A1M (serial Modbus/RTU via RS-485 only) or the newer A1M+ (Modbus/TCP via Ethernet in addition to Modbux/RTU). I’m using the Ethernet variant.

Home Automation, Networking & Self-Hosting