Windows Server 2008: Show last logon info at logon screen

Dirteam.com started blogging again and is now an affiliate of Bink.nu This blog is a great resource for Windows Server stuff... From the WNT4 days it was possible to use the "lastLogon" attribute to determine the last logon time of a user account. This attribute has been available in all OS's until now. The caveat […]

Dirteam.com started blogging again and is now an affiliate of Bink.nu Idea This blog is a great resource for Windows Server stuff...

From the WNT4 days it was possible to use the "lastLogon" attribute to determine the last logon time of a user account. This attribute has been available in all OS's until now. The caveat of this attribute is that it does not replicate between DCs and because it is possible for a user account to be authenticated by any DC in the domain, you would need to retrieve the information from every DC in the domain. Starting with Windows Server 2003 (W2K3) a new attribute called "lastLogonTimeStamp" has been introduced which records the last logon time of a user account more accurately. This attribute is only used by the system when the Domain Functional Level has been raised to Windows Server 2003. That means that only W2K3 DCs exist in the AD domain and no WNT4 or W2K DCs. Compared to the "lastLogon" attribute, the "lastLogonTimeStamp" attribute does not replicate. To prevent excessive replication that attribute is only updated for NTLM and Kerberos Interactive Logons under certain conditions. The attribute is updated if it is older than [(the current time) - (value of "msDS-LogonTimeSyncInterval" attribute)]. For an accurate explanation of when the attribute is updated I suggest you read joe's post about the "Replication of lastLogonTimeStamp".

As you might have noticed, Windows Server 2008 (Microsoft's flagship OS) has RTMed. That OS introduces a new set of attributes which allow you to determine:

This feature is only available after the Domain Functional Level has been increased to Windows Server 2008. That means that only W2K8 DCs exist in the AD domain and no WNT4, no W2K or W2K3 DCs. Even after increasing the DFL the feature is not available right away. For this feature you need to distinguish two things: "reporting the information at logon" and "writing the information into the directory at logon". The feature can only be leveraged by Windows Vista and Windows Server 2008. Other OS's will ignore it. Compared to the other attributes mentioned, these attributes are updated without conditions.

To "write the information into the directory at logon" a GPO with DCs in its Scope of Management must have the setting the following setting enabled:

  • Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options\Display information about previous logons during user logon = ENABLED

At the same time it will also report the information for all accounts logging on at ANY DC in the AD domain.

To "report the information at logon" a GPO with servers and/or clients in its Scope of Management must have the setting the following setting enabled:

  • Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options\Display information about previous logons during user logon = ENABLED

If the feature is enabled for servers and/or clients, but not for W2K8 DCs (independent of Domain Functional Level) the following error will occur at logon.

 

Full Article

Microsoft, WS2008, Windows Server 2008, Logon, Information, Logon Screen, Tips, Tricks, Tips and Tricks