Q: Does Windows include a mechanism to show failed logon information to the user at logon time?

A: Yes, Windows includes such a mechanism, starting with Windows Server 2008 and Windows Vista. You might be interested so that you can let your users see if someone has been trying to use their accounts and guess their passwords since they last successfully logged on to Windows.

After a user successfully logs on to Windows, the mechanism will display the last successful logon time, the last failed logon time, and the number of failed logon attempts since the last successful logon time, as shown here. The user must acknowledge this information before being presented with the Windows desktop.

Behind this feature is a new set of Active Directory (AD) attributes that are replicated between all the Domain Controllers (DCs) of a domain. These attributes allow the OS to determine the last successful and failed logons. Only Windows 7, Vista, and Server 2008 can use the feature—other Windows OSs ignore it. This feature is only available after you've increased the Domain Functional Level (DFL) to Windows Server 2008, so only Server 2008 DCs can exist in your AD domain, none from earlier OSs.

To enable this new mechanism, you must explicitly allow Windows to report the logon information and to write it to AD at logon time. You can allow both actions using a set of new Group Policy Object (GPO) settings.

To allow Windows to write the information to AD at logon, a GPO affecting your DC configuration (for example, the Default Domain Controllers GPO) must have the following setting enabled:

Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Logon OptionsDisplayinformation about previous logons during user logon

To allow Windows to report the information at logon, a GPO affecting your server and client configuration (for example, the Default Domain Policy) must have the following setting enabled:

Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Logon OptionsDisplayinformation about previous logons during user logon

One last warning: if you enable these settings for domains that are Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level, a warning message will appear at logon time. The message will inform your users that Windows could not retrieve the logon information and they will not be able to log on. In other words, you should never enable these GPO settings if your domain is not at the Server 2008 DFL.

Related Reading: