Hey everyone,
A colleague mentioned the 'Interactive logon: Number of previous logons to cache' setting, and while setting it to 2 on workstations makes sense, we're unsure about servers. Some suggest setting it to 0, claiming that credentials from users in the protected Users group aren't cached. Others pointed out that during a past incident where all Domain Controllers (DCs) were down, some servers could still be accessed thanks to cached credentials. It wasn't ideal, but it helped us out.
I'm curious, in a worst-case scenario where Active Directory goes down, what's the best way to access a few servers? Should we focus on booting a DC from backup to retrieve LAPS passwords, or is training on resetting local admin accounts the way to go?
6 Answers
Relying on cached credentials isn't a great plan. You lose track of who logged in last and which password they used. If AD goes down, that's a major disaster recovery situation, so it's best to plan ahead. Considering more DCs could help with resilience.
Exactly! More DCs means fewer headaches overall.
r
a
I
If you've got a solid system for managing local admin credentials, caching on servers really isn't necessary. I’ve been running with no cached credentials on LAPS-enabled servers for almost a decade without any problems, even during major disaster recovery scenarios.
c
Yeah, we were lucky before since we were a small team and knew who accessed what last. But you’re right, the focus should be on keeping AD operational. We've expanded and set up DCs across multiple sites now.