Search This Blog

Thursday, December 02, 2010

Interactive logon information

I got into some discussions about these 4 attributes and how they work. Here it is:


msDS-FailedInteractiveLogonCount: The total number of failed Ctrl + Alt + Del (C-A-D) logon attempts at a Windows Vista or Windows Server 2008 domain joined member (or higher) since the Last Interactive Logon Information feature was turned on.
Integer

msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon: The total number of failed C-A-D logon attempts at a Windows Vista or Windows Server 2008 domain joined member (or higher) up until the last successful C-A-D logon.
Integer
msDS-LastFailedInteractiveLogonTime: The time that an incorrect password was presented during a C-A-D logon attempt at a Windows Vista or Windows Server 2008 domain joined member (or higher).
Timestamp

msDS-LastSuccessfulInteractiveLogonTime: The time that a successful C-A-D logon occurred at a Windows Vista or Windows Server 2008 domain joined (or higher).
Timestamp

If the and username/password is correct, it writes the timestamp to the msDS-LastSuccessfulInteractiveLogonTime . If the username/password is wrong it will write the timestamp to the msDS-LastFailedInteractiveLogonTime. Then the values of msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon and msDS-FailedInteractiveLogonCount get raised by one (1). For example, if the msDS-FailedInteractiveLogonCount already have 2 it becomes 3.

When it is configured two things will happen:
1) The domain controller writes the information to AD and replicates it.. [Screenshot 1]
2) On the machine the user logs on to (at least Vista or 2008 server (or higher)) a query is sent to display the information at the logon screen. [Screenshot 2]

[Screenshot 1] The information waiting to be replicated to other DCs:

(0) modify CN=Jimmy Andersson,OU=Users,OU=ADS,OU=Services,OU=_Operations,DC=qadvice,DC=prv
1> objectGUID: 1e8979ba-94f8-47fe-83cc-99e9c28fa016
1> instanceType: 0x4 = ( WRITE )
1> msDS-LastSuccessfulInteractiveLogonTime: 2010-11-14 19:43:54 W. Europe Standard Time

[Screenshot 2] The information displayed to the user after a successful logon



What you need to think about:

Each time a user logon it will create replication traffic as you can see in screenshot 1. This information is then replicated to all domain controllers – in large environments this will most likely be an issue. So this feature should be used with caution!

If a RODC authenticates the user, this will happen:
• msDS-LastSuccessfulInteractiveLogonTime will only be written to the RODC and not forwarded to the RWDC
• msDS-LastFailedInteractiveLogonTime is written to the RODC and the RWDC. Then it will be replicated back from the RWDC to the RODC.
• msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon will only be written to the RODC and not forwarded to the RWDC
• msDS-FailedInteractiveLogonCount is written to the RODC and the RWDC. Then it gets replicated back from the RWDC

Note! If you configure this for an OU, but not configure this on the domain controllers the users will not be faced with this error and not be able to logon:

Security policies on this computer are set to display information about the last interactive logon. Windows could not retrieve this information. Please contact your network administrator for assistance.

If a domain controller can’t be located the user will not be able to logon.

If you still see a need to use this feature, this is how you configure it:
Create a GPO and link it to both the domain controllers OU and to the OU you have the clients you want the users to see this logon information on. Of course if you want to be more flexible create two GPOs, one for the domain controllers OU and one for the clients which you then can use groups and filter etc.

Note! Even if you select only a few clients to show this information on, you actually affect all DCs. So even if the users only see this information on a selected number of clients – the information is still written to a DC (for all logons) and then replicates to all DCs. This is because you enable it on the DC(s) and thus all users get affected.

My recommendation:
Only use it when you really need it. Display the information for normal end-users is useless since they won’t understand it – most users will only click OK without reading it anyway…

No comments: