Caching domain credentials on workstations is usefull if the computer gets disconnected from the network or the PDC/BDC/DC is down. Instead of having the whole building run after me (the admin), people can still logon to there usual computer, where usual means a computer where the user was one of the last 10 (by default I believe, configurable via group policies) to log on that computer.

By the way, cached credentials are stored under the LSA Secrets registry key HKLM\SECURITY\Policy\Secrets. NT4 pre sp3 was very vulnerable to LSA secrets theft as they were in cleartext. Post SP3 and W2k which encrypt them with syskey are still somewhat vulnerable to lsadump2 which uses dll injection to "get arround" syskey, but require the SeDebugPrivilege which only the Administrator account has by default. Still, if one were to get admin access first, lsa secrets are up for grabs!

Granted, this introduces some level of insecurity, but the practical factor to this usually outweights it.

You can however disable caching by setting the number of last logons cached to 0 using local/group policies.

Ammo