This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 22%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETN%3C/text%3E%3C/svg%3E)
Hi
Why logon restriction hours doesn’t work when the domain cannot be reached ?
Eg I unplug the Ethernet and the user can log on normally. Put Ethernet back and the user cannot log in anymore.
What’s the mechanism behind this ?
Thank you !
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hi,
You are welcome. Thank you so much for your kindly reply.
This is with “Cached Credentials”. Whenever you log on successfully to the domain on a computer, Windows stores your credentials. The hours could not be cached.
I could totally understand your concerns. As you mentioned, we could disable the cached credentials. Below is the document talking about concerns about cached credentials and disable cached credentials. We could kindly have a check.
Disable Cached Credentials In Windows
http://www.frickelsoft.net/blog/?p=49
Thank you so much for your time and support.
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello,
Thank you so much for posting here.
I did the same test in my AD environment. First set the logon restriction hours as shown below. In my case, the user could not be logged on.
Then once disabling the Ethernet, the user could log on normally. Put Ethernet back and the user could not log in anymore as shown below. It is the same as you described.
When disabling the Ethernet, a user can log on to a Windows domain by using cached account information. Logon information for domain accounts can be cached locally so that, if a domain controller cannot be contacted on subsequent logons, a user can still log on.
When users log on to an Active Directory domain, a form of the logon information is cached locally on their machines. This cached credential makes it easy for users to log on to their Windows machines when they have no way of reaching the domain controller for authentication.
If the user account is disabled, and the machine is disconnected from the domain network, the user could sign in with domain name\user account. Once connecting to the network again, the user could not sign in since the account has been disabled.
Hope the information is helpful. For any question, please feel free to contact us.
Best regards,
Hannah Xiong
Hi!
Thank you for the answer.
Even the cache exists, would not be more "consistent" if the hours could be cached too ?
Because to me it seem´s more like of, lets say, a point of failure that someone with bad intentions would try to explore (eg : I disable my ethernet, and I can log outside hours using the cache)
I know one possible solution could be disable the cache, but this exists for a purpose.
Thank you very much.