Active Directory Last Used Computer(for a specific user)

[Graimer]

Hello. I've recently started reading for the 70-640 Exam: Configuring Windows Server 2008 Active Directory, and I think it's going well for now(first exam ever). While I was reading, I noticed some new "features"/attributes that I can't find. The book says in the first chapter:

Functional level: ....... For example, when the domain functional level is raised to Windows Server 2008, a new attribute becomes available that reveals the last time a user successfully logged on to a computer,the computer to which the user last logged on, and the number of failed logon attempts since the last logon. ..........

Can anyone confirm this? I've been through all the attributes wth values using ADSI for the Administrator user in the domain(which has only logged on to DC server), but I can't seem to find this attribute. Is it not visible because a server is not a "computer" and because of that it isn't written as a value yet, or is the attribute not there at all? Google didn't help either since everyone still uses logon scripts to log this. I know there may be possible to collect logs from the DCs to find it out, but an attribute for the last used workstation/computer would be better.

Is the author lying in the Microsoft Exam Training Kit or am I just blind? :) Thanks

[JMann Veteran]

I've come across this Technet Article before which might be of help to you:

http://technet.micro...v=ws.10%29.aspx

How to configure last interactive logon

You configure last interactive logon through a GPO. You must configure the following setting for the GPO with domain controllers in its scope of management if you want to report last interactive logon information to the directory service:

Computer Configuration| Policies | Administrative Templates | Windows Components | Windows Logon Options | Display information about previous logons during user logon = Enabled

If you want to display last interactive logon information to the user, you must configure this setting for both the GPO with domain controllers in its scope of management as well as any GPO with Windows Server 2008 and Windows Vista client computers in its scope of management.

However I came across a CBT Nuggets video which described that this feature is all well and good, but can cause issues where users in the domain running Vista upwards won't be able to login once the GPO has been applied, obviously dependent on what OU you apply the policy to. Here is just one article I have found with someone who experienced the same problem:

http://social.techne...4-6a8c4f69dc69/

Not what you want when you have users trying to login first thing.

Microsoft do provide an extension which plugs into Active Directory which might help you though, I haven't tried it myself so would suggest trying it in a test domain lab first. It's called ACCINFO.DLL (search for Account Lockout Tools) then just regsvr32 from elevated CMD.

If you then open AD DS look at an account you should now have a new tab named 'Additional Account Info' which displays lots of information including Last Logon, Last Logoff, Counts, SID etc. But again, test in a lab before applying it in production just in case! Also a minor point, that tab doesn't appear when using Server Manager only Active Directory Users and Computers.

Here's a nice picture from Petri.co.il that shows what information it describes:

[Graimer]

Thanks for a quick answer. I've read about Interactive Logon, but it does not seem to show the computer used to login. It just shows time and logon tries++. That's what's so weird :s

[Daedroth]

We've played around with different methods to get last logons, and determined the best and easiest way is to manage logons was using vbscripts on logon and log off. Script to write an entry into a database at log on, and another on log off. We also encorporated duplicate login restrictions into these scripts too. At logon, this script also creates a random file containing only the username of the person logged on, which is saved in a specific place at logon, and deleted at log off.

I know it doesn't exactly answer your question, but it's another way of doing it.

[Graimer]

Yes I know, and that's what I've tried earlier in labs. That's why I got so excited when the author said 2008 func. level had an attribute for it. It seems that he may have lied. Is there any way to see what changes are made to the schema when you raise the func. level? So I could take a look at each attribute that's added and monitored those to see if they work as a "last computer" attribute.

Btw. How do you handle system crashes and laptops with that duplicate login restriction? If a user doesn't properly log off or does not have network connection at the time of logout, they would be locked out until fixed. Got a smart solution for those or do you handle it manually when the system crashes?

[c.grz]

BGInfo allows something similar to this. We have a DB that BGInfo updates after each login. Shows user and the PC they've logged in to.