Analysis: Require Domain Controller Authentication to Unlock Workstation

Security
Published Jan 26, 2012 Updated Dec 17, 2022

Among the many security options that are configurable via Group Policy, there is a setting Interactive logon: Require Domain Controller authentication to unlock workstation. For security reasons, this is often enabled. Let’s have a closer look at the implications. Those are different from what one might think because the name is a little misleading.

What Does it Do?

By default, when a locked Windows computer is unlocked, it does not communicate with a domain controller. It validates the password against its list of locally stored cached credentials. Enabling Require Domain Controller authentication to unlock workstation does not change this, at least not if the computer is offline. If no domain controller can be reached, the computer still uses its locally cached credentials to authenticate the user.

Only when the computer is online does enabling Require Domain Controller authentication to unlock workstation change the system’s behavior. In that case, it tries to communicate with a domain controller. If that attempt succeeds, it performs additional checks, for example, if the account is disabled.

[random lady](http://www.flickr.com/photos/ritwikdey/582149018/) by [ritwikdey](http://www.flickr.com/photos/ritwikdey/) under [CC](http://creativecommons.org/licenses/by/2.0/deed.de) — random lady by ritwikdey under CC

Securing the Lock Screen

If you want to force communication with a domain controller when users need to be authenticated, the list of cached credentials needs to be disabled. To do that, set the following security option to 0: Interactive logon: Number of previous logons to cache (in case domain controller is not available). That severely limits the usefulness of affected computers in mobile scenarios, though.

Conclusion

The policy Interactive logon: Require Domain Controller authentication to unlock workstation should rather be called Do not use cached credentials when unlocking workstations when a domain controller can be reached. The usefulness of this setting on clients is overrated. It can be valuable to secure terminal servers, though, where end users do not have access to the physical machine.

Authentication Domain Controller Group Policy Logon Screen Saver

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Related Posts

Docker Monitoring With Prometheus, Automatic HTTPS & SSO Authentication

Docker Monitoring With Prometheus, Automatic HTTPS & SSO Authentication

This article, effectively part 2 of my Grafana setup guide, explains how to set up Prometheus, Node Exporter, and cAdvisor with automatic HTTPS certificates (via Caddy) and OAuth single sign-on (via Authelia). This post is part of my series on home automation, networking & self-hosting that shows how to install, configure, and run a home server & network with dockerized or virtualized services.

Home Automation, Networking & Self-Hosting

Portainer Setup Guide With Automatic HTTPS & OAuth SSO via Authelia

Portainer Setup Guide With Automatic HTTPS & OAuth SSO via Authelia

This article explains how to set up Portainer with automatic HTTPS certificates (via Caddy) and OAuth single sign-on (via Authelia). This post is part of my series on home automation, networking & self-hosting that shows how to install, configure, and run a home server & network with dockerized or virtualized services.

Home Automation, Networking & Self-Hosting

ownCloud Infinite Scale With OpenID Connect Authentication for Home Networks

ownCloud Infinite Scale With OpenID Connect Authentication for Home Networks

This article explains how to set up ownCloud Infinite Scale with OpenID Connect authentication to Authelia or authentik. This post is part of my series on home automation, networking & self-hosting that shows how to install, configure, and run a home server & network with dockerized or virtualized services.

Home Automation, Networking & Self-Hosting

Authelia & lldap: Authentication, SSO, User Management & Password Reset for Home Networks

Authelia & lldap: Authentication, SSO, User Management & Password Reset for Home Networks

This article explains how to set up a simple but modern user management and authentication system for services on your internal home network. The solution supports important security features like two-factor authentication and single sign-on, and only requires minimal maintenance due to self-service password reset. This article is part of my series on home automation, networking & self-hosting that shows how to install, configure, and run a home server & network with dockerized or virtualized services.

Home Automation, Networking & Self-Hosting

Latest Posts

Changing the Location of PowerShell Profile Scripts

A PowerShell profile is an init script that is executed when the shell starts. PowerShell searches for profile scripts in hard-coded locations. This article explains how to move profile scripts to any directory of your choice.

Changing the Location of the Windows Terminal Settings Files

Changing the Location of the Windows Terminal Settings Files

Windows Terminal stores its settings in configuration files that resides in the Windows user profile. This article explains how to move them to any directory of your choice. Where are the Settings Files Located? The location of the Windows Terminal settings file is hard-coded. The exact path depends on the app variant you installed, but it’s always in the user profile:

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.