How to Display Active Directory Last Logon Information

Active Directory last logon attributes

In Windows Server 2008, Microsoft introduced four new Active Directory attributes that store information about the user’s last interactive logon:

• msDS-FailedInteractiveLogonCount(CN: ms-DS-Failed-Interactive-Logon-Count)
• msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon(CN: ms-DS-Failed-Interactive-Logon-Count-At-Last-Successful-Logon)
• msDS-LastFailedInteractiveLogonTime(CN: ms-DS-Last-Failed-Interactive-Logon-Time)
• msDS-LastSuccessfulInteractiveLogonTime(CN: ms-DS-Last-Successful-Interactive-Logon-Time)

So by default, this feature is deactivated because in environments with a large number of users, it can cause a high replication burden in the morning when many users are signing in at the same time.

Difference to lastLogon and lastLogontim

This is one difference to the attributes lastLogon, badPasswordTime, badPwdCount and lastLogontimeStamp and the first 3 were introduced in Windows 2000 and don’t replicate at all. This means that you have to query all your domain controllers if you want to use these attributes to retrieve information about the last logon of a user. The attribute lastLogontimeStamp was introduced in Windows Server 2003 and does replicate.

Next difference to the Windows Server 2008 attributes is that they log not only interactive logons but also other logons such as when a user accesses a network share. You also can’t use the old attributes for displaying the last logon information after the user signs in.

Activate interactive logon attributes

The interactive logon attributes can only be activated if your Active Directory domain functional level is Windows Server 2008 and only computers running Windows Vista and Windows Server 2008 or higher can display the last sign-in information on the login screen. Windows XP and Windows Server 2003 computers will ignore the Group Policy setting.

If you have to assign the Group Policy to all domain controllers, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Logon Options > Display information about previous logons during user logon.

Here, only domain controllers will display the login information after sign-in. Thus, the name of the policy is a bit misleading and it just doesn’t display previous logon information on computers that are not in the scope of the policy. Depending on the size of your domain, you may have to take the corresponding replication load into account.

If you can verify that interactive logons are logged in Active Directory Users and Computers (ADUC), you have to enable Advanced Features in the View menu of ADUC. If you then double-click a user object, you should see the Attribute Editor tab.

After you configure the policy, you have to ensure that all domain controllers have received the new settings. So once the Group Policy is applied, you should see the logon information on all machines in the scope of the policy.

Display previous logon information?

A user-based rather than a computer-based Group Policy for logging login information in Active Directory would make more sense. That way, you could ensure that only administrators see the last logon information after signing in. Since only admins sign on to servers, this would make a computer-based policy more or less superfluous.