Showing Last Logon Info at Logon in Windows Server 2008

Showing Last Logon Info at Logon in Windows Server 2008
From the WNT4 days it was possible to use the “lastLogon” attribute to determine the last logon time of a user account. This attribute has been available in all OS’s until now. The caveat of this attribute is that it does not replicate between DCs and because it is possible for a user account to be authenticated by any DC in the domain, you would need to retrieve the information from every DC in the domain. Starting with Windows Server 2003 (W2K3) a new attribute called “lastLogonTimeStamp” has been introduced which records the last logon time of a user account somewhat more accurately. This attribute is only used by the system when the Domain Functional Level has been raised to Windows Server 2003. That means that only W2K3 DCs exist in the AD domain and no WNT4 or W2K DCs. Compared to the “lastLogon” attribute, the “lastLogonTimeStamp” attribute DOES replicate. To prevent excessive replication that attribute is only updated for NTLM and Kerberos Interactive Logons under certain conditions. The attribute is updated if it is older than [(the current time) – (value of “msDS-LogonTimeSyncInterval” attribute)].
Windows Server 2008 (Microsoft’s flagship OS) has RTMed. That OS introduces a new set of attributes which allow you to determine:
• The last successful Interactive Logon (information stored in the “msDS-LastSuccessfulInteractiveLogonTime” attribute)
• The last failed Interactive Logon (information stored in the “msDS-LastFailedInteractiveLogonTime” attribute)
• The total number of failed Interactive Logons recorded since the time has been enabled (information stored in the “msDS-FailedInteractiveLogonCount” attribute)
• The total number of failed Interactive Logons recorded since the last successful Interactive Logon (information stored in the “msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon” attribute)
 
This feature is only available after the Domain Functional Level has been increased to Windows Server 2008. That means that only W2K8 DCs exist in the AD domain and no WNT4, no W2K  DCs. Even after increasing the DFL the feature is not available right away. For this feature you need to distinguish two things: “reporting the information at logon” and “writing the information into the directory at logon”. The feature can only be leveraged by Windows Vista and Windows Server 2008. Other OS’s will ignore it. Compared to the other attributes mentioned, these attributes are updated without conditions.
 
To “write the information into the directory at logon” a GPO with DCs in its Scope of Management must have the setting the following setting enabled:
• Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options\

Display information about previous logons during user logon = ENABLED
At the same time it will also report the information for all accounts logging on at ANY DC in the AD domain.
 
To “report the information at logon” a GPO with servers and/or clients in its Scope of Management must have the setting the following setting enabled:
• Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options\Display information about previous logons during user logon = ENABLED