How To Force Users To Log On To The Domain?

by [Published on 3 Sept. 2008 / Last Updated on 8 July 2008]

This article explains a mechanism you can use to force client computers to log on to the domain.

Generally, if client computers are not able to contact a domain controller, they will be logged on to the local computer using their cached credentials stored at the registry. You can delete the Cached Credentials to force them to log on the domain: 

This mechanism is very useful in the following scenario:

  • When you are doing capacity planning to add an additional domain controller and want all the users to log on the domain.
  • When you want users to update their LastLogonTimeStamp value in the domain.
  • When you want to apply an urgent Group Policy setting.

To delete the Cached Credentials:

  • Open a Command Prompt
  • Run "Psexec.exe -s -i regedit.exe" without quotes
  • Navigate to HKLM\SECURITY\Cache
  • Delete all NL$1 through NL$10

See Also


The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP, and was awarded Microsoft MVP in Directory Services. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles for various online communities. Nirmal can also be found contributing to PowerShell based Dynamic Packs for ADHealthProf.ITDynamicPacks.Net solutions.

Featured Links