Logging and Reporting the Last Interactive Logon time with Windows 2008+ DCs
In a slight departure from our regular post style, I’m reposting an email sent by Mark Renoden in response to an internal Aussie PFE discussion about LastLogonTime. Sharing is caring.
I thought I’d hijack the thread to discuss a feature we might be able to use more often, now that our customers are finally getting rid of their 2K3 DCs:
Last Interactive Logon was something we introduced in Windows Server 2008 / Windows Vista, but you can’t use it in mixed-mode domains (< DFL 2K8) so we haven’t been talking about it! [Ed note: DFL = Domain Functional Level]
The AD attributes involved, and roughly what it does, are documented here.
So, before you set it up, but with 2008+ schema extensions deployed, you’ll see these attributes (not set) on user objects –
To enable it [Ed: Read the rest of this article first, particularly down to the text in RED below first for an important caveat!] set up a GPO that applies to DCs with this setting under Computer Configuration -> Administrative Templates -> Windows Components -> Windows Logon Options, enabled – (“Windows Logon Options: Display information about previous logons during user logon”)
And you start seeing ms-DS-FailedInteractiveLogonCount (and related attributes) being populated on user objects (obviously failed logins will populate the appropriate attributes) –
When applied to DCs, this setting tells the DC to record and report these values. It’s important that this is done first because enabling it on clients before DCs are configured will BLOCK user logins.
Once DCs are configured, you’ll be recording useful information that you can query, and the values are replicated.
If you’d like to do interesting things with clients (or perhaps more interestingly member servers), create a GPO with the same setting that applies to those machines. After doing this, you’ll see this after you login –
Once again, if you haven’t enabled this setting on DCs first, login will be blocked.
The reason you can’t use it in domains with Windows 2000 or Windows Server 2003 DCs is that they don’t understand the policy setting and won’t record or report the attribute values to clients – so in effect, you’ll DoS yourself.
Posted by Tristan Kington , MSPFE Editor that had a great holiday, thanks for asking.