Um.... correct me if I am wrong, but if the cached credentials are 'cracked' then surely the only damage that could be inflicted would be on that particular computer/laptop....

As when using the cached credentials, any attempts to access domain/network resources would require authentication as the security token would have expired; and since the credentials are no longer current/valid access would not be granted.

I was thinking using OU's and specific GPO's like cached credential limit for laptops is 2 everyone else is 1 etc...
In this case, I think that disabling cached credentials would be the most secure option for all computer that do not leave the office and enabled for any laptops that are not able to reach the domain externally.... otherwise allow remote dial-up login for authentication or setup a local account for use outsite of the domain.

[garbled comments about this post here] <--- You all know what I am thinking as 918 views to this post later and not one reply?


CTO