Cached Logon Script
This script allows you to change the value for the cached logon count remotely.
Where applicable
- A device cannot reach a Domain Controller
- A remote user has been terminated and you want to ensure they cannot access the computer again
Steps to resolution
Evaluation Code
scriptblock = {
# Define Registry Key and sub-value to evaluate
#############################################
$regPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$regProperty = "CachedLogonsCount"
$desiredValue = '0'
############################################## Retrieve current value for comparison
$currentValue = (Get-ItemProperty -Path $regPath -Name $regProperty -ErrorAction SilentlyContinue).$regProperty# Compare current with desired and exit accordingly.
# 0 for Compliant, 1 for Non-Compliant
if ($currentValue -eq $desiredValue) {
return 0
} else { return 1 }
}
$runScriptBlock = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock
Remediation Code:
$scriptblock = {
# Define Registry Key and sub-value to evaluate
# Define Registry Key and sub-value to modify
#############################################
$regPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$regProperty = "CachedLogonsCount"
$desiredValue = '0'
#############################################
try {
Set-ItemProperty -Path $regPath -Name $regProperty -Value $desiredValue -ErrorAction Stop
Return 0
} catch {
Write-Output "Unable to update $regProperty"
Return 1
}
}
$runScriptBlock = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock