A common request by IT security offices everywhere is that when logging on, have the server tell the user when they last logged on, in the hope that if a user actually remembers when they last logged on, they can figure out when their account is compromised.
Although I question the effectiveness of this practice, as a former CISSP, it’s hard to find a strong reason to argue against implementing it.
So as Active Directory admins, how exactly do we do that without a lot of work? Well I’m going to assume your AD domain controllers are running at least Windows Server 2008 (preferrably R2). If not, upgrade. Then come back here and read the rest of this post.
For a while now, the AD schema has had two “last logon” related attributes. lastLogon and lastLogontimeStamp. You can find more information about those two attributes, and what the intended use is here:
(hint: it has nothing to do with showing the last logon of the user — they are used to help identify unused computer/user objects)
So yeah, you can pretty much ignore those attributes. The lastLogon attribute doesn’t replicate across DC’s, and the lastLogontimeStamp attribute replicates very slowly (on purpose — see above link).
Luckily it’s now 2008..er..I mean 2012, and we now have even more logon-time related attributes to play with, but these are slightly more useful:
As long as your AD forest is at 2008 functional level, you can edit the group policy being applied to your DC’s to enable these new attributes.
Note: If you enable this feature on your member servers/workstations before your DC’s, you’ll lock everyone out of those systems, so don’t do that.
As this Microsoft KB article (951020) suggests, you need to look for the “Domain Controllers provide information about previous logons when display is not enabled” setting. Except it doesn’t tell you where that is, and if you google for it (in quotes), you’ll get exactly 3 results. The first is the KB article referenced above. Besides, thats not what the setting is called. heh. Anyway, the setting is located here:
Computer Configuration -> Administrative Templates -> System -> KDC -> “Provide information about previous logons to client computers”
Yeah, enable that one. This just tells the DC’s that they now support these new attributes, but doesn’t affect servers/workstations. *NOW* you can edit group policy wherever you want to, and enable the other setting, which actually tells windows to show the last time you logged on:
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Logon Options -> “Display information about previous logons during user logon”
I would provide screenshots, but it really isn’t all that exciting. Ok it kinda is, but I still don’t wanna take screenshots. :-) If you *really* want to see one, go here: