0

I've been encountering an issue with domain PCs where it takes a longer time to notify entering of incorrect password. After conducting some research, we identified that the delay is caused due to system checking the local PC password cache first and then proceeding to check the domain.

Can anyone help me to reduce the time it takes for a domain PC to report an incorrect password message Any insights or solutions using any methods like GPO etc would be greatly appreciated.

Improve this question
4
  • 3
    The delay is actually an intentional and impossible to avoid security feature of Windows
    – Ramhound
    Commented Feb 6 at 12:35
  • 1
    The delay helps to prevent people breaking in with multiple password attempts. Remind users about good password security and perhaps equip them with a good password manager.
    – anon
    Commented Feb 6 at 12:45
  • This duplicate suggests it’s not possible, which supports my gut instinct, that the initial delay and continuous increase to that delay cannot be changed or disabled.
    – Ramhound
    Commented Feb 6 at 13:30
  • 1
    Also, make sure it is not a DNS issue. If your DNS is not set to have the first server be the domain server, it may try to resolve the domain or hostname to an internet DNS server instead, fail to resolve, then try with the correct server.
    – LPChip
    Commented Feb 6 at 13:54

1 Answer 1

Reset to default
0

One way you can reduce the time checking the local cache is to disable it. There are GPO settings which allow you to disable saving login sessions so that it has to communicate with the domain controller on each login attempt.

Those settings are:

Interactive Logon: Number of previous logons to cache (in case domain controller is not available) https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available

Interactive logon: Require Domain Controller authentication to unlock workstation https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation

Improve this answer
1
  • Note that disabling the local cache can be good for security purposes, but with the caveat that if the domain is not available for one reason or other, then no domain account can be logged into. certainly don't do this on laptops and other systems that may be in a semi/dis-connected state during their use. finally note, the delay often comes from mitigations designed to prevent brute-forcing passwords even with weak configuration is used for account locking, so disabling local cache may not have any impact on the noticed delay in the error message accompanying a failed login attempt.
    – Frank Thomas
    Commented Feb 6 at 14:45

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .