Windows has a useful feature that allows to display the information about the last interactive sign-in attempt directly on Windows Welcome screen. It looks like this: each time when a user types the password to logon into the system, the information about the date and time of the last successful or failed login attempt appears (as well as the number of failed logon attempts). If a wrong password is entered when trying to sign in to the system (e. g., in case of an unauthorized access attempt), during the next system startup, the user will see a notification of a failed logon attempt.
In this article, we’ll consider how to display the information about the last interactive logon on the Windows Welcome screen. This feature is available in all Windows OSs, starting from Windows Vista, and to operate on the domain level it requires the functional domain level of Windows Server 2008 or later. In this version the Active Directory schema has got a number of new user attributes containing the information about the interactive logon attempts.
- msDS-FailedInteractiveLogonCount is the number of failed sign-in attempts after the policy of collecting data has been enabled
- msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon is the number of the failed interactive sign-in attempts since the last successful logon
- msDS-LastFailedInteractiveLogonTime is the time of the last failed logon attempt
- msDS-LastSuccessfulInteractiveLogonTime is the time of the last successful attempt to log on to the workstation
The attributes specified above, unlike to the well-known attributes such as lastLogon, lastLogontimeStamp, badPasswordTime and badPwdCount (appeared in Windows 2000), are replicated among all domain controllers.
You can enable the display of the information about the previous attempts to log in to the system using the group policy. To do this, open the local Group Policy Management Editor gpedit.msc (if you need to enable this feature on this computer for a local account) or gpmc.msc (to create or modify a domain policy) and go to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Logon Options. We need Display information about previous logons during user logon policy.
To enable this policy, change its value to Enabled and save the changes.
The policy will be enabled on all computers running Windows Vista or later. Windows XP and Windows Server 2003 ignore this policy.
Now you only have to apply this policy to a target computer.
- If a local policy is used, you’ll only have to run gpupdate /force and log in to the system again (the policy is applied only to the local accounts).
- If the domain GPO is used, this policy should be firstly applied to all domain controllers. After its replication is completed and applied to all DCs, you can assign the policy to a certain Active Directory container.
At the next logon after the password of the account is entered, the following notification appears:
Successful sign-in. The last time you interactively signed in to this account was: …
Unsuccessful sign-in. There have been no unsuccessful interactive sign-in attempts with this account since your last interactive sign-in
To continue logon, the user has to click OK (or press Enter).
On the local PCs without the Group Policy Management Editor (Windows Home Editions), this feature can be enabled in the Registry Editor. To do it:
- Run regedit.exe
- Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Edit (or if there is no such parameter, create it) the DWORD parameter DisplayLastLogonInfo
- To enable the display of the information about the last logon, enter 1. To disable this feature, enter 0.
The feature of monitoring the last interactive logon is convenient to detect attempts of the password attack on the Active Directory, as well as meeting regulatory requirements and auditing by monitoring the source and time of the attempt to access the user account.