none
What is Interactive Logon? RRS feed

  • Question

  • hi,

    Can somebody explain to me exactually what interactive logon is, I don't know what it has to do with logging in from the logon screen.from what I've read it sounds like its more about services and scheduled tasks being able to interact with the desktop/session.
    I know there are security policies for allowing/denying interactive logon so it must have something to do with using the login screen.

    I know that in windows you can logon to a computer if the account isn't stored on that computer, through a domain for example. but I'm not sure what this 'interacting with the session' means

    I also know that a console task can run as a separate user/credential and I know that a user account can have a different profile impersonating it but the files from that account still stay put, in the same locations.

    Does this have anything to do with it?

    Regards, Rocklore

    • Edited by rocklore Wednesday, October 2, 2013 11:49 PM
    Wednesday, October 2, 2013 11:44 PM

Answers

  • ... 1. If there is just one computer with one account that can host a domain and can switch over to a workgroup then:

    Isn't logging in interactively to that account either to its domain or its workgroup just the same as using the welcome screen, if not whats the difference? ...

    I do not get your question on "one account that can host a domain and can switch over to a workgroup". Anyway, referring back to the same diagram,

    • Local user accounts  User accounts defined on a local computer are called local user accounts. Local user accounts have access to the local computer only, and they must authenticate themselves before they can access network resources. You create local user accounts with the Local Users And Groups utility.

    • Domain user accounts  Users accounts defined in Active Directory are called domain user accounts. Through Single Sign-On, domain user accounts can access resources throughout the domain. Domain user accounts are created in Active Directory Users And Computers.

    If you are asking whether logon via Welcome Screen is considered Interactive Logon, the answer is yes (even though Ctrl + Alt + Del does not apply).

        

    ... 2. What is the difference between classic logon and interactive logon ...

    You cannot compare classic logon with interactive logon. Interactive logon is the method that you use to logon to a computer. Classic logon or Welcome Screen logon are the user interface that Microsoft provides users for to carry out Interactive Logon.

    • The Welcome screen provides a list of accounts on the computer. To log on with one of these accounts, you click the account and type a password (if one is required). Note that the Welcome screen does not display all the accounts that have been created on the computer. Some accounts, such as Administrator, are hidden from view. The Welcome screen is convenient because it displays a list of available accounts.

          

    • The Classic Logon screen requires users to type a logon name rather than selecting an account from a list of available accounts. The Logon screen has several features that you can control. By default, the name of the last user to log on is displayed in the User Name field of the Log On To Windows dialog box. You can improve security by hiding the user name of the last user to log on. Instead, users will need to know a valid account name for the computer.

          

          

    Hope that helps.

        

    Cheers,


    Tas Chew

    • Marked as answer by rocklore Sunday, October 6, 2013 3:24 PM
    Sunday, October 6, 2013 10:11 AM

All replies

  • Read these articles. It may helps you a little.

    What is Interactive Logon?

    http://technet.microsoft.com/en-us/library/cc780095(v=ws.10).aspx

    How Interactive Logon Works?

    http://technet.microsoft.com/en-us/library/cc780332(v=ws.10).aspx

    • Proposed as answer by Tas76 Friday, October 4, 2013 3:30 PM
    Thursday, October 3, 2013 7:11 AM
  • I've read those two, there the only ones I can find but I don't understand them.
    Thursday, October 3, 2013 1:11 PM
  • ... I've read those two, there the only ones I can find but I don't understand them ...

    Hi,

        

    The diagram illustrated in What is Interactive Logon has explained it all.

    In short, users need have direct physical access to the computer console, apply Ctrl + Alt + Del keys, enter either the local account or domain account. These actions, collectively, are known as Interactive Logon.

        

    Remote access via Terminal Service is also considered Interactive Logon, and is further qualified as remote interactive.

        

    Having understand what is Interactive Logon, is there any topic that you wish to relate to Interactive Logon and do not understand?

        

    P.S. Profile impersonating, one of the topic that you have brought up in your original post, also known as RUNAS, can only be executed after a successful Interactive Logon.

        

    Hope that helps.

        

    Cheers,


    Tas Chew

    • Edited by Tas76 Friday, October 4, 2013 3:24 PM
    Friday, October 4, 2013 3:22 PM
  • Thanks a lot, this makes more sense as I was unsure what the  login window's purpose was for since there is the welcome screen logon UI and interactive logon. Still a couple of questions:

    1.If there is just one computer with one account that can host a domain and can switch over to a workgroup then:

    Isn't logging in interactively to that account either to its domain or its workgroup just the same as using the welcome screen, if not whats the difference?

    2. What is the difference between classic logon and interactive logon

    I have more questions related to interactive logon but ill probably ask those after I understand this part


    • Edited by rocklore Friday, October 4, 2013 5:36 PM
    Friday, October 4, 2013 5:30 PM
  • ... 1. If there is just one computer with one account that can host a domain and can switch over to a workgroup then:

    Isn't logging in interactively to that account either to its domain or its workgroup just the same as using the welcome screen, if not whats the difference? ...

    I do not get your question on "one account that can host a domain and can switch over to a workgroup". Anyway, referring back to the same diagram,

    • Local user accounts  User accounts defined on a local computer are called local user accounts. Local user accounts have access to the local computer only, and they must authenticate themselves before they can access network resources. You create local user accounts with the Local Users And Groups utility.

    • Domain user accounts  Users accounts defined in Active Directory are called domain user accounts. Through Single Sign-On, domain user accounts can access resources throughout the domain. Domain user accounts are created in Active Directory Users And Computers.

    If you are asking whether logon via Welcome Screen is considered Interactive Logon, the answer is yes (even though Ctrl + Alt + Del does not apply).

        

    ... 2. What is the difference between classic logon and interactive logon ...

    You cannot compare classic logon with interactive logon. Interactive logon is the method that you use to logon to a computer. Classic logon or Welcome Screen logon are the user interface that Microsoft provides users for to carry out Interactive Logon.

    • The Welcome screen provides a list of accounts on the computer. To log on with one of these accounts, you click the account and type a password (if one is required). Note that the Welcome screen does not display all the accounts that have been created on the computer. Some accounts, such as Administrator, are hidden from view. The Welcome screen is convenient because it displays a list of available accounts.

          

    • The Classic Logon screen requires users to type a logon name rather than selecting an account from a list of available accounts. The Logon screen has several features that you can control. By default, the name of the last user to log on is displayed in the User Name field of the Log On To Windows dialog box. You can improve security by hiding the user name of the last user to log on. Instead, users will need to know a valid account name for the computer.

          

          

    Hope that helps.

        

    Cheers,


    Tas Chew

    • Marked as answer by rocklore Sunday, October 6, 2013 3:24 PM
    Sunday, October 6, 2013 10:11 AM
  • ah I didnt know you can login interactivley from the welcome screen as well as classic logon.

    How would I choose (what would I do) to login locally or interactively? (I don't mean secpol or anything like it)


    • Edited by rocklore Sunday, October 6, 2013 3:39 PM
    Sunday, October 6, 2013 3:27 PM
  • Which one is more secure please?
    Friday, April 18, 2014 1:06 PM
  • ah I didnt know you can login interactivley from the welcome screen as well as classic logon.

    How would I choose (what would I do) to login locally or interactively? (I don't mean secpol or anything like it)


    It's been nearly three years, so I assume you've cleared this all up since the post I'm quoting, but just to tidy up this loose end...

    When you log on to

    • a PC or server
    • either by physically at the machine's keyboard, or remotely using Remote Desktop (RDP), or VNC, or Teamviewer, or Microsoft Remote Assistance, or any number of remote control alternatives
    • using either a local account or a domain account if the machine is a member of a domain, 
    • or using a local account if it's not a member of a domain
    • via a Classic Logon screen, or a Welcome Screen

    ...you are logged on interactively. Any time you can see the desktop, icons, the mouse pointer (unless there happens to not be a mouse attached), the Start Menu, etc, you are logged on interactively.

    To complete the comparative picture, we should give examples of when are you not logged on interactively.

    1. At your own PC (let's call it RockLorePC1), you fire up the Command Prompt, and run PSExec to run a command against, or rather ON, a remote machine (which we'll call JazzTaleSrv1). Of course your session on RockLorePC1 is an Interactive Logon, but your session on JazzTaleSrv1 is a NON-Interactive Logon.
    2. If you map a drive to "\\JazzTaleSrv1\Shared", your logon to that server is NON-Interactive.
    3. If you have RSAT tools installed on your PC and you run the 'AD Users And Computers' tool, or the DHCP Console, or any number of other MMC Snap-Ins, then connect to another server that runs the Role that you've fired up the tool for, your logon/session to the Domain Controller/DHCP Server/Whatever Server, is NON-Interactive.

    In all three of those examples you are not in control of the Start Menu, or the mouse and so on, therefore you are not logged on interactively.


    • Edited by JPJ-UK Thursday, June 9, 2016 9:09 PM Edits for appearance
    Thursday, June 9, 2016 9:07 PM
  • Which one is more secure please?

    What are the choices?

    If you mean out of the choice of Domain Account v Local Account, I would say Domain Account is (at least likely to be) more secure (e.g. more likely to be good password policies in place, GPO restricting bad practices).

    If you mean Interactive v Non-Interactive, then when it comes to servers it is best practice to log on NON-Interactively with the use MMC Snap-Ins, or commands run from either a Command Prompt or a Powershell CLI, against a server. Using such tools introduces less risk. For one thing, you'll be less likely to accidentally shut down a server this way (been there, done that!)

    Thursday, June 9, 2016 9:16 PM