Windows Logon Options: Part One of Two

Wow, its already Wednesday; time for another entry. Last week I wrote about the new user profile policy settings for Windows Vista. This week, I want to highlight a couple policy settings included in the Windows Logon Options.


The Windows Logon Options policy settings are located under both the Computer and User ConfigurationsAdministrative TemplatesWindows ComponentsWindows Logon Options. This policy category has six policy settings, equally divided between user and computer configurations. These policy settings apply to computers running and users logging onto Windows Vista. Earlier versions of Windows will ignore most of these policy settings. Read the explain text of each policy setting before you combine these policy settings with earlier policy settings in a single Group Policy object.


I’ll start with highlighting two of the three policy settings under the Computer Configuration. The first of these is the Display information about earlier logons during user logon. When enabled, Windows displays a message after the user logs on. The message contains the date and time of the last successful logon; the date and time of the last unsuccessful logon; and the number of unsuccessful logons since the last successful logons by that user. The user must then acknowledge the message before Windows presents the user desktop.


I know, this sounds like one of those annoying logon prompts that users will click through, perhaps. However, I see this as another step in securing Windows on the workstation and the network. Most users know when the logged on last. Additionally, they know when they have typed their password wrong multiple times. Enabling this policy provides this information to users at each logon. Users can then evaluate this information with their own logon patterns to determine if there has been an attempt to compromise their account. And, you can use this policy setting to assist with troubleshooting account lockout issues.


The downside to this policy setting, the logging on user account must be a user account from a “Longhorn” Server functional domain. Users logging on with user accounts stored in domains functioning at Windows Server 2003, Windows 2000 native, or mixed mode encounter an error message stating Windows could not locate the account information and prevents the user from logging on to the domain.


The other valuable policy setting in this category is the Report when logon server was not available during user logon. Windows displays a notification to the user explaining they have logged on using cached credentials because the logon server was not available. Enabling this policy could expedite the reporting of logon problems. And, as with the other policy, serves as an excellent way to further troubleshoot logon problems.


Stay on the look out for some of the new policy settings in Windows Vista. Sometimes, enabling a policy ahead of time, can help you troubleshoot later.


NEXT WEEK: Windows Logon Options: Part Two of Two


Mike Stephens, Technical Writer, Group Policy