Quantcast
Channel: The Official Scripting Guys Forum! forum
Viewing all articles
Browse latest Browse all 15028

How to test if user authenticated with cached credentials

$
0
0

I would like to gently remind users who have logged in with cached credentials for X days that they should bring their machine back and connect it to the network for a boot or two, and I'd like to push the structure out through GPO.  There is significant interest (and no answers) in expiring cached credentials after some time, but I dont' want to prevent users from working, just request/annoy them to come "home" once in a while.

I have found mention that comparing %logonserver% with %computername% as a valid way to check for cached login, but these are old (~2003).  When I do that in Win7 while booted and logged in via cached credentials, my %logonserver% is the PDC of the user account's domain.  (The computer account is in a subordinate domain.)  Why would the system report a %logonserver% that is unreachable?  Has something changed in how this works?

What appears fairly foolproof (when done manually) is to monitor the Security Log for EventID 4624 with Login Type 11.  I can trigger a scheduled task on the EventID, but I don't know how to filter for Login Type.  I also don't think the scheduled task can work in the user's security context because the Security Log requires elevation or at least admin rights.  Is this true?  Additionally, I haven't a clue how to establish a scheduled task via GPO/script especially one that would run under local admin creds (with each laptop having a unique password). 

I can't believe something that seems so common sense is so challenging that it hasn't been solved yet.


Viewing all articles
Browse latest Browse all 15028

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>