Q: What is an interactive Windows logon session and how can users start an interactive logon session? Are there any Group Policy Object (GPO) settings I can use to control user interactive logons in my Active Directory (AD) environment? Can you also tell me where a user’s last interactive logon time is stored in AD?
A: An interactive Windows logon session is the result of an interaction between a user and the Windows OS. An interactive logon session is always initiated by a user and tells Windows that the user wants to authenticate either to a local machine or to a domain. Following this user action, Windows will prompt the user for a set of authentication credentials. Because of the interaction between the OS (requesting credentials) and the user (providing credentials), Microsoft calls this method of starting an authentication process "interactive” logon. Interactive logon is also referred to as "local logon." A successful interactive logon results in a logon session. In Windows, a user can start an interactive authentication or logon process in different ways:
- By pressing the Ctrl+Alt+Del key sequence. This key sequence is known as the Secure Attention Sequence (SAS). Microsoft also refers to this method for starting an authentication process as “secure logon” or “classic logon.” The SAS guarantees that the authentic Windows logon dialog box appears. It ensures that a user is communicating with the OS by means of a trusted path when entering his or her password and not with a program that mimics a logon prompt to retrieve password information. This interactive logon option is available on both standalone and domain-joined machines.
- By entering a user account and password in the classic logon dialog box if the Ctrl+Alt+Del key sequence is not required for calling the classic logon dialog box. You can disable Ctrl+Alt+Del for calling the classic logon dialog box both on domain-joined and standalone machines. To do so for domain-joined machines, you must enable the “Interactive Logon: Do not require Ctrl+Alt+Del” GPO security option or create the following registry key and set it to value 1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD (REG_DWORD). This registry key can also be used on standalone machines. I don’t recommend you disable Ctrl+Alt+Del in enterprise environments for the reason mentioned in the previous bullet.
- By clicking a user account on the Windows Welcome screen. This option is available only on Windows XP and can be used only to log on locally. I recommend not using the Welcome screen for logging on to standalone XP machines in enterprise environments.
- By requesting a secondary logon session using the runas command-line utility or by using Fast User Switching.
- By starting a connection to another machine using Terminal Services or Remote Desktop. Microsoft refers to these two logon types as “remote” interactive logon.
There are interactive logon scenarios in which the interaction between the user and the authentication server remains hidden. For example, you can save the username and password that you use to connect to a remote desktop computer object, so you don’t have to retype it. Also, Windows allows you to automate the logon process at system startup by storing a username and password in the registry. This feature is known as autologon. In XP, autologon can be enabled from the GUI: Simply select the “Users must enter a user name and password to use this computer” checkbox in the Windows XP User Accounts dialog box. To call the Windows XP User Accounts dialog box from the command line, type:
Look at the Microsoft article "How to turn on automatic logon in Windows" at http://support.microsoft.com/?id=324737 to learn how you can enable autologon from the system registry.
Table 1, below, lists the GPO settings you can use to control interactive logon in a Windows AD environment and their recommended values. All settings are located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options GPO container.
AD stores a user’s last logon time in the LastLogon AD user object attribute. Like the case for the logging of account logon events in the Windows Event Viewer, the last logon time is only updated in the AD instance of the DC that authenticated the user. That is why you must query all DCs in a user’s definition domain to find out the user’s last logon time.
In Windows Server 2003, Microsoft included a new AD user object attribute called LastLogonTimeStamp that resolves the LastLogon problem outlined above to a certain extent… LastLogonTimeStamp stores the "approximate" value of the last logon of a user to other DCs. The value is approximate because AD replicates it only once every 14 days to avoid replication overhead. So even though LastLogonTimeStamp doesn't resolve the LastLogon problem completely, at least it gives administrators a way to discover inactive accounts that have not logged on in the last few weeks. The LastLogonTimeStamp attribute is only activated when the domain is switched to the Windows 2003 domain functional level. See the following Microsoft Technet reference for more information: http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon.mspx.
Table 1: Table 1: Interactive Logon Related GPO Settings
|GPO Settings||Recommended Value / Meaning|
|Interactive logon: Do not display last user name||Enabled / Hides last user name used for logon from the logon dialog box|
|Interactive logon: Do not require Ctrl+Alt+Del||Disabled / Disables the use of Ctrl+Alt+Del for calling the classic Windows logon dialog box.|
|AInteractive logon: Message text for users attempting to log on||Enter a custom message for your environment / Used to set message in dialog box that Windows displays when users use the SAS sequence.|
|Interactive logon: Message title for users attempting to log on||Enter a custom title for your environment / Used to set title of dialog box that Windows displays when users use the SAS sequence.|
|Interactive logon: Number of previous logons to cache (in case domain controller is not available)||Enable on laptops and desktops – disable on machines that don’t need it (DCs, member servers) / enables credential caching and sets number of credentials to cache.|
|Interactive logon: Prompt user to change password before expiration||Enable – 14 days / Informs user that his password is about to expire and must be changed – allows you to set the number of days before the actual password expiry the user will be informed.|
|Interactive logon: Require Domain Controller authentication to unlock workstation||Enable / Can be used to ensure that user credentials are validated against ad DC when user unlocks Windows desktop.|
|Interactive logon: Require smart card||Depends on organization’s security requirements/ Enforces use of smart card for Windows logon.|
|Interactive logon: Smart card removal behavior||Depends on organization’s security requirements/ Determines smart card removal from smart card reader behavior. Possible settings are No action / Lock workstation / Force Logoff.|