Admin Tips
- Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base
  - Windows 2003
    - Admin Tips
      - Active Directory
        How To Force Users To Log On To The Domain?

Section(s): Active Directory , Active Directory
Published on Sep 03, 2008.
Last Modified on Jul 08, 2008.
Last Modified by Nirmal Sharma.
Rated 2.3 out of 5 based on 3 votes.

This article explains a mechanism you can use to force client computers to log on to the domain.

Generally, if client computers are not able to contact a domain controller, they will be logged on to the local computer using their cached credentials stored at the registry. You can delete the Cached Credentials to force them to log on the domain:

This mechanism is very useful in the following scenario:

When you are doing capacity planning to add an additional domain controller and want all the users to log on the domain.
When you want users to update their LastLogonTimeStamp value in the domain.
When you want to apply an urgent Group Policy setting.

To delete the Cached Credentials:

Open a Command Prompt
Run "Psexec.exe -s -i regedit.exe" without quotes
Navigate to HKLM\SECURITY\Cache
Delete all NL$1 through NL$10

About Nirmal Sharma

Nirmal is a Microsoft MVP in Directory Services and working as a Technical Architect/Consultant. He has been involved in Microsoft Technologies since 1994 and followed the progression of Microsoft Operating Systems and software. He is specialized in Directory Services, Microsoft Clustering, SQL, MOM, Exchange and Citrix. In his spare time, he likes to help others and write "internal" technical articles, white papers and tips on various Microsoft technologies. You can contact him at nirmal_sharma@mvps.org.