- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
The user will see the time of the last successful and unsuccessful login. In case the the user attempted to sign in unsuccessfully since the last successful login, the number of failed sign-in attempts will also displayed. This could be helpful, if you configured an account logout threshold.
Last logon information after sign-in on Windows 8.1
Active Directory last logon attributes
In Windows Server 2008, Microsoft introduced four new Active Directory attributes that store information about the user’s last interactive logon:
- msDS-FailedInteractiveLogonCount (CN: ms-DS-Failed-Interactive-Logon-Count): Number of failed logon attempts since the last logon feature was enabled
- msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon (CN: ms-DS-Failed-Interactive-Logon-Count-At-Last-Successful-Logon): Number of failed interactive logons up until the last successful Ctrl-Alt-Del logon
- msDS-LastFailedInteractiveLogonTime (CN: ms-DS-Last-Failed-Interactive-Logon-Time): Time stamp of the last failed logon attempt
- msDS-LastSuccessfulInteractiveLogonTime (CN: ms-DS-Last-Successful-Interactive-Logon-Time): Time stamp of the last successful logon attempt
By default, this feature is deactivated because in environments with a large number of users, it can cause a high replication burden in the morning when many users are signing in at the same time.
Difference to lastLogon and lastLogontimeStamp
This is one difference to the attributes lastLogon (CN: Last-Logon), lastLogontimeStamp (CN: Last-Logon-Timestamp), badPasswordTime (CN: Bad-Password-Time), and badPwdCount (CN: Bad-Pwd-Count).
The attributes lastLogon, badPasswordTime, and badPwdCount were introduced in Windows 2000 and don’t replicate at all. This means that you have to query all your domain controllers if you want to use these attributes to retrieve information about the last logon of a user.
lastLogon and lastLogontimeStamp attributes in ADUC
The attribute lastLogontimeStamp was introduced in Windows Server 2003 and does replicate. However, by default it replicates only every 9–14 days. Thus, the intended purpose of this attribute is to identify inactive accounts and not to track user logons in real time.
Another difference to the Windows Server 2008 attributes is that they log not only interactive logons but also other logons such as when a user accesses a network share. You also can’t use the old attributes for displaying the last logon information after the user signs in.
Activate interactive logon attributes
The interactive logon attributes can only be activated if your Active Directory domain functional level is Windows Server 2008 or higher, and only computers running Windows Vista and Windows Server 2008 or higher can display the last sign-in information on the login screen. Windows XP and Windows Server 2003 computers will ignore the Group Policy setting.
It is important to follow the activation procedure exactly in the order as described here; otherwise your users might be unable to sign in. If a client computer applies the corresponding Group Policy before the domain controllers, the user will be denied to sign in.
Security policies on this computer are set to show info about the last interactive sign-in, but Windows couldn't retrieve that info.
First, you have to assign the Group Policy to all domain controllers. This activates the logging of the last logon information in the Active Directory attributes. This is the location of the policy:
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Logon Options > Display information about previous logons during user logon
Display information about previous logons during user logon
At this point, only domain controllers will display the login information after sign-in. However, it is important to note that the last interactive logon attributes will also be set when a user signs in on a machine that is not in the scope of the domain controller policy. Thus, the name of the policy (Display information about previous logons during user logon) is a bit misleading because it enables the logging of interactive logins for the entire domain. It just doesn’t display previous logon information on computers that are not in the scope of the policy. Depending on the size of your domain, you may have to take the corresponding replication load into account.
You can verify that interactive logons are logged in Active Directory Users and Computers (ADUC). First, you have to enable Advanced Features in the View menu of ADUC. If you then double-click a user object, you should see the Attribute Editor tab.
Last interactive logon attributes
After you configure the policy, you have to ensure that all domain controllers have received the new settings. You can do this by running gpresult /v on all domain controllers, and if a server hasn’t applied the policy yet, you can run gpupdate.
Once you are sure that the domain controllers are aware of the new policy, you can assign it to the member servers and clients for which you want to display the last logon information. Once the Group Policy is applied, you should see the logon information on all machines in the scope of the policy.
Displaying last logon information after sign-in on Windows Server 2012 R2
If you compare this to the first screenshot in this post, you’ll notice that the text color of the last logon information is white in the first example and yellow in the second one. This is because the last sign-in attempt was unsuccessful in the second example. Thus before you deploy this feature, you should instruct your users about this difference. Nobody will really look at the time of the last logon at each sign-in. However, if your users know that the yellow color signifies an unsuccessful login attempt, they might take a closer look when the login screen looks different than usual. (Update: It appears Windows 7 doesn't change the color.)
Display previous logon information?
The other question is whether you want to display logon information on all computers in your network. This would certainly improve security, but it is perhaps overkill in environments with moderate security requirements. However, I do think it makes sense to apply this feature for servers. Unfortunately, as mentioned above, this means that the attribute is logged and replicated for all machines in your domain. Thus you have to consider if the additional replication load can be justified by the better security.
In my view, a use-based rather than a computer-based Group Policy for logging login information in Active Directory would make more sense. That way, you could ensure that only administrators see the last logon information after signing in. Since only admins sign on to servers, this would make a computer-based policy more or less superfluous. Unfortunately, no such Group Policy exists.
In my next post, I will show you how you can use PowerShell to retrieve the last logon information from Active Directory.