Group Policy Setting of the Week 35 – Display information about previous logons during user logon

This weeks setting is one that has just been mentioned in the AD Blogs Friday mail sack and until today was a setting/feature of Windows Vista/7 that I didn’t know existed. This setting display information about previous logons during a user logon and is very similar to the last logon screen I see when logging onto an online banking web site. This setting can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Logon Options and must be applied to workstations AND domain controllers for it to work. The only down side for this setting is that you need to be in 2008 native mode to work so this might exclude some organisations for now.

WARNING: Be sure that you apply this setting to your domain controllers first otherwise they will not be able to logon.

image

Below is the message a users will see when after the logon successfully when the previous logon was also successful.

image

In this example we see the message when someone logon successfully where the 5 previous logon events had failed. Obviously this logon count number (see highlighted below) would raise a really big red flag for a users especially if you are sure that you were not the one to logon incorrectly.

image

For more information check out:

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

http://technet.microsoft.com/en-us/library/dd446680(WS.10).aspx

6 Comments

  1. We recently try to deploy a GPO on our network (All Server 2008 and Windows 7) to show previous logons during
    user logon. The setting is located in Computer Configuration| Policies |
    Administrative Templates | Windows Components | Windows Logon Options | Display
    information about previous logons during user logon = Enabled. Our domain
    level is set to Windows Server 2008. I verified that it is Windows Server 2008
    on Domain and Trust.

    Here is the article about this setting

    Active Directory Domain Services: Last Interactive
    Logon

    But after we deploy the setting, we are no longer able to login
    to any of our windows 7 machines. All of them got an error message said :
    “Security policies on this computer are set to display information about the
    last interactive logon. Windows could not retrieve this information. Please
    contact your network administrator for assistance.”

    The setting
    worked on windows server 2008. I was able to login to DC and revise the setting,
    so we can log back in the windows 7 machines.

    Anyone has experience this
    issue before? I looked up all of the web and only thing they said is to make
    sure the domain functional level must be set to Windows Server 2008, which it
    is.

    • Sorry. I have not come across that issues…. You could try troubleshooting the issue by applying security group filtering to the GPO and only apply it to some objects. Almost sounds like that attribute is not readable, is there any special security delegate to the AD objects?

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>