From: Mike N. 

I'm not sure, but I believe a cached domain admin login is still covered
under a syskey level 2 or 3 encryption because both the SAM and LSA are
encrypted.  So you'd have the syskey login to crack before anyone could get
to a domain admin login - today this just means grinding through all
possible alphanumeric password combinations on a lengthy decryption.

On Fri, 22 Oct 2004 18:14:04 -0500, "Geo"  wrote:

>That's sort of what I was getting at, I think there is another issue. Here
>is why. You are a domain member, you login as domain admin to the laptop one
>time and it creates your desktop and whatever. Ok now shutdown and unplug
>the laptop from the network then boot it back up and login as domain admin
>again, it works. That's because the domain admin login information is cached
>on the machine.
>
>Until you disable that (I forget how it's done) I don't think you are
>secure. That's why I like being a domain member better, it makes it easy to
>tell if you have this disabled or not. You can still login as local machine
>account, it's just a good way to test your settings.

--- BBBS/NT v4.01 Flag-5