msresource.net - Windows Server 2008 Active Directory Domain Services Last Interactive Logon Information Feature

Home

Windows Server 2008 Active Directory Domain Services Last Interactive Logon Information Feature

If you’ve been reading through the Windows Server 2008 documentation or attending events discussing Windows Server 2008 Active Directory Domain Services (AD DS) you might have noticed that one of the new features that is enabled with Windows Server 2008 Domain Functional Level (DFL3) is something referred to as “Last Interactive Logon Information”. Essentially, this is a Windows NT 6.x (Vista and Server 2008 at the moment) Winlogon feature. With this feature enabled, when you perform an interactive logon to an NT 6.x domain member Winlogon presents information depicting the last successful and unsuccessful logon times, as well as the number of unsuccessful interactive logon attempts.

Here’s a [cropped] screenshot of me logging onto a Windows Server 2008 server in a Windows Server 2008 Domain Functional Level domain with this feature enabled.

This information is presented immediately upon hitting enter after you supply your username and password. Hitting enter again results in the desktop being presented. This information is presented every time you enter your password via Winlogon. So you see it when you first logon as well as every time you unlock your session.

How Last Interactive Logon Information works

The Windows Server 2008 schema introduces a number of new attributes. Of these attributes, the following are relevant to the last interactive logon information feature.

ms-DS-Failed-Interactive-Logon-Count (msDS-FailedInteractiveLogonCount)
ms-DS-Failed-Interactive-Logon-Count-At-Last-Successful-Logon (msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon)
ms-DS-Last-Failed-Interactive-Logon-Time (msDS-LastFailedInteractiveLogonTime)
ms-DS-Last-Successful-Interactive-Logon-Time (msDS-LastSuccessfulInteractiveLogonTime)

The name of each attribute effectively describes what each attributes is used for. Summarised, they do the following:

Attribute (LDAP Display Name)	Purpose	Type
msDS-FailedInteractiveLogonCount	The total number of failed Ctrl + Alt + Del (C-A-D) logon attempts at a Windows Vista or Windows Server 2008 domain joined member since the Last Interactive Logon Information feature was turned on.	Integer (whole number)
msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon	The total number of failed C-A-D logon attempts at a Windows Vista or Windows Server 2008 domain joined member up until the last successful C-A-D logon.	Integer (whole number)
msDS-LastFailedInteractiveLogonTime	The time that an incorrect password was presented during a C-A-D logon attempt at a Windows Vista or Windows Server 2008 domain joined member.	Timestamp
msDS-LastSuccessfulInteractiveLogonTime	The time that a successful C-A-D logon occurred at a Windows Vista or Windows Server 2008 domain joined member.	Timestamp

Essentially, when the feature is enabled two things happen:

The Windows Server 2008 AD DS Domain Controllers write this information to the AD DS properties
The Windows NT 6.x (Windows Vista and Windows Server 2008) domain query for, and display, this information

As you can guess, there’s new logic in the DC logon code that writes the above attributes. If the username and password combo is correct, the msDS-LastSuccessulInteractiveLogonTime attribute is written with the current timestamp. If the username and password combo is incorrect, the msDS-LastFailedInteractiveLogonTime attribute is written with the current timestamp and the value of both the msDS-FailedInteractiveLogonCount and msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon attributes is incremented by one.

Configuring Last Interactive Logon Information

Configuration is made via GPO. The setting in question is as follows.

Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Logon Options
Display information about previous logons during user logon (Enabled)

This setting has to apply to the domain controllers in order for them to actually gather the information detailed in “How last interactive logon information works”, so if you only wish to have a subset of computers in a specific OU utilise this feature be sure that you configure it in a GPO that is linked to the OU in question as well as a GPO linked to the Domain Controllers OU.

Realistically, it probably makes sense to configure this setting in a GPO with user settings disabled and then link that GPO to every container that you want this to apply to (if you don’t want to simply apply this setting at the domain level) as well as the domain controllers OU.

Important Information

If you enable this feature in a specific OU and don’t also enable this feature for the domain controllers, or you enable this features in a domain that is not at Windows Server 2008 Domain Functional Level users will be prompted with an error message stating the following and you will not be able to logon.

Security policies on this computer are set to display information about the last interactive logon.  Windows could not 
retrieve this information.  Please contact your network administrator for assistance.

The same is true if a domain controller cannot be located –you won’t be able to logon. Therefore only enable this feature if you’ve properly planned for, and impact assessed the change. The choice to deny logon if this information cannot be retrieved is interesting. HP Protect Tools Authentication Services, which implements a similar feature, doesn’t stop you from logging on if it cannot retrieve this information. It simply tells you it was unable to retrieve the information. This means that Microsoft has implemented this as a very specific security requirement and not as a simple informational feature.

< Prev		Next >