none
New Feature - Win2k8 Server

    Question

  • Hi,

     

    i was reading that once you set up the Functional Level of both the forest and domain to be Windows 2008 , a new feature will be available :

     

    Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, the number of failed logon attempts since the last logon, and the time of the last failed logon.

     

    Where can i see such feature ?

     

    _____________________________

    Tarek Majdalani
    Computer Engineer, CIW, MCSA: Security 2000/2003, TS: Windows Vista
    MVP -- ISA Firewalls
    Website : http://www.elmajdal.net/Win2k8

    Thursday, January 31, 2008 1:52 PM

Answers

  •  

    "ms-DS-Last-Failed-Interactive-Logon-Time" is an attribute that users in Windows 2008 have, pretty much like "phone" and "mail".

     

    "Phone" is an attribute that is easily accessed through ADUC.  "Mail" is also available if you have some bits from Exchange installed.

     

    "ms-DS-Last-Failed-Interactive-Logon-Time" and the other attributes that you are talking about are unique to Windows 2008.  When a user tries to login and enters a bad password, the time of this attempt is then stored in the "ms-DS-Last-Failed-Interactive-Logon-Time" attribute.  It stays there and is not modified until a user tries to login with a bad password again.

     

    These new attributes are not going to be easy to get at.  You are going to have to use ADSI edit to get a visual on them.  The use of these attriutes will be far better realized if you write LDAP queries or use an active monitoring device like SCOM 2007 or MOM 2000/2005.

    Friday, February 1, 2008 3:45 PM
  • One of the reasons that we are storing this information is so that it can displayed to the user at logon.  If you enable the following policy "Display information about previous logons during user logon" then the values stored in that attribute will be displayed on Windows Server 2008 and Windows Vista machines during the logon process.  That policy is a computer policy and can be found under the Computer Configuration\Policies\Administrative Templates..\Windows Components\Windows Logon Options.  We had several customers in highly secure environments that wanted this information displayed to the user at logon so now you have the option.

     

    Thanks,

     

    -Steve

    Saturday, February 2, 2008 4:58 AM

All replies

  • There are a number of ways to pull this information, but to start, I would use ADSI edit.  Those should be a set of attributes attached to the user.

     

    This link explains "Last Failed Interactive Logon":

    http://msdn2.microsoft.com/en-us/library/ms677435(VS.85).aspx

     

    Thursday, January 31, 2008 2:30 PM
  • Hi,

     

    Thanks for the reply, but the above link was completely chinese for me, i didn't understand anything from it.

     

    There is nothing inside ADUC snapin that i can see this new feature !!

     

    DO u have a link to an article on how to use this new feature ?

    Friday, February 1, 2008 9:30 AM
  •  

    "ms-DS-Last-Failed-Interactive-Logon-Time" is an attribute that users in Windows 2008 have, pretty much like "phone" and "mail".

     

    "Phone" is an attribute that is easily accessed through ADUC.  "Mail" is also available if you have some bits from Exchange installed.

     

    "ms-DS-Last-Failed-Interactive-Logon-Time" and the other attributes that you are talking about are unique to Windows 2008.  When a user tries to login and enters a bad password, the time of this attempt is then stored in the "ms-DS-Last-Failed-Interactive-Logon-Time" attribute.  It stays there and is not modified until a user tries to login with a bad password again.

     

    These new attributes are not going to be easy to get at.  You are going to have to use ADSI edit to get a visual on them.  The use of these attriutes will be far better realized if you write LDAP queries or use an active monitoring device like SCOM 2007 or MOM 2000/2005.

    Friday, February 1, 2008 3:45 PM
  •  

    Thanks for your response,i got i now 

     

    Do u have any written LDAP queries ?

     

    With Windows Server 2003  we used to have acctinfo.dll , to have the Addition Acount Info tab inside ADUC, why this is not built in with Windows Server 2008 ? or does this same file works with Windows Server 2008 ?

    Friday, February 1, 2008 4:35 PM
  • I do not have anything written off hand that would help you out, but this link:

     

    http://technet.microsoft.com/en-us/library/aa996205.aspx?WT.svl=2007resources

     

    Is very useful and provides enough examples where you could do some searching with it.

     

    I don't know if the acctinfo.dll from Windows 2003 will work at all with a Windows 2008 server.  I do know that if it did work, the tab in ADUC would not have any of the new attributes on it - none of those attributes existed when the dll was written.

     

    Friday, February 1, 2008 5:29 PM
  • One of the reasons that we are storing this information is so that it can displayed to the user at logon.  If you enable the following policy "Display information about previous logons during user logon" then the values stored in that attribute will be displayed on Windows Server 2008 and Windows Vista machines during the logon process.  That policy is a computer policy and can be found under the Computer Configuration\Policies\Administrative Templates..\Windows Components\Windows Logon Options.  We had several customers in highly secure environments that wanted this information displayed to the user at logon so now you have the option.

     

    Thanks,

     

    -Steve

    Saturday, February 2, 2008 4:58 AM
  • hi Steve,

     

    Thats great, every user will be able to see his own info.

     

    But as an administrator, how can i see the info of each user ?

     

    From Windows Server 2008, where can i take a look at the users info.

     

    Thanks,

    Tarek

     

    _____________________________

    Tarek Majdalani
    Computer Engineer, CIW, MCSA: Security 2000/2003, TS: Windows Vista
    MVP -- ISA Firewalls
    Website : http://www.elmajdal.net/Win2k8

     

    Saturday, February 2, 2008 2:41 PM
  • Can this in any way compliment the badPwdCount attribute?  Or creative uses together?

    I'd like to get more information and make better account lockout policies, as it is currently very hard to troubleshoot why people's accounts get locked out.

     

    Saturday, February 2, 2008 11:11 PM
  • Terek,

      Unfortunately the attributes are not natively exposed in the UI, i.e. you cannot see their value in Active Directory Users & Computers.  The attributes are however viewable via your favorite LDAP viewer, for example ADSIEdit.msc, LDP.exe, PowerShell....  The attributes of interested are the following:

     

    msDS-FailedInteractiveLogonCount

    msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon

    msDS-LastFailedInteractiveLogonTime

    msDS-LastSuccessfulInteractiveLogonTime

     

    All of these are integer values with the last two being stored as NT time epoch (NTTE) which is the interval in seconds since January 1, 1601.  There are several script samples that show how to convert that into a human readable format or you can use w32tm /ntte <value>.

     

    Thanks,

     

    -Steve

    Tuesday, February 5, 2008 12:29 AM
  • If you are asking can you combine these values to create a more intelligent lockout policy then I believe the answer is no.  You can of course use them in further troubleshooting account lockouts.

     

    Thanks,

     

    -Steve

     

    Tuesday, February 5, 2008 12:30 AM
  •  

    Trying to enable the Additional Account Info tab. I've downloaded the Acctinfo.dll and regiatered it. However I'm still not seeing the new tab.

     

    Is there anything else that I need to do?

    Tuesday, April 8, 2008 11:44 PM
  • I have Vista x64 with RSAT and I am unable to get the acctinfo.dll to work.  Has anyone come up with a solution?
    Tuesday, July 15, 2008 7:57 PM
  • This information is available through the 2008 ADUC pretty easily, however I really liked the tab.  It made it easier for Junior admins to understand.  There have not been any more posts for a while.  Has anyone had any luck on this front?  Third party tools or the sort?  There must be someone out there with time on their hands to write something up?

    Friday, October 16, 2009 3:48 PM