Imagine that your network security was compromised and you have a good reason to believe that someone attacked and compromised your domain environment. Or maybe you need to track the number of unsuccessful logon attempts to the domain. Or perhaps the security officer at your organization as asked you for a report. In this article I will show you how to display the last interactive logon information in Windows Server 2008 and Windows Server 2012.
Activate Last Interactive Logon
One of the great features that Windows Server 2008/R2/2012 has to offer is the last interactive logon information. In order to activate last interactive logon, the functional level of the domain must be set at minimum to Windows Server 2008. I will perform these steps and take screenshots on a Windows Server 2008 R2 machine, but it all works the same on Windows Server 2012.
When last interactive logon is activated for the Active Directory domain, the following AD attributes of the user’s object store the relevant information. These attributes are already a part of the AD schema and do not require any modification to AD.
- msDS-FailedInteractiveLogonCount – The number of failed logon attempts since the last interactive logon setting was enabled
- msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon – The total number of failed interactive logons until the last successful logon
- msDS-LastFailedInteractiveLogonTime – The time when the last failed logon attempt occurred
- msDS-LastSuccessfulInteractiveLogonTime – The time of the last successful logon attempt to a workstation
- In the Group Policy Editor window, browse to: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Logon Options
A setting called “Display information about previous logons during user logon” is not configured by default .
Since we linked the GPO to the Domain Controllers OU, I will restart my demo Domain Controller in order to apply the GPO settings. Of course you can simply use the gpupdate /force command, and you may not need to reboot.
After the machine boots up, when I press Alt+Ctrl+Del to login, after entering the username and password, the following screen is displayed.
No comments:
Post a Comment