Policy to show logon failures does not work with RD-logons

Hi folks.

We recently applied applied the following policy:
Computer config - adm. templates - windows components - windows logon
options -  display information about previous logons during user logon

Basically, it works. Whenever we logon to a server (2008 R1 SP2) or
workstation (vista sp2), the logon screen shows the last succesful logon and
the last logon failure. However, if we use RDP to logon, it only shows the
current logon attempt - it does not show logon failures even if we produce
some.

Now for the part that makes me believe it is simply a bug: If I take xp and
use RDP client 5.2 (and not 6 that ships with vista or 7 that you can
install), everything works as expected. I suspect the rdp client 6 and 7 use
a different way to authenticate that simply cannot work with this policy.

Consequence: that policy is useless. Attackers that use RDP will not get
noticed that way.

Feel free to reproduce.

Comments?

If you are on a DFL of Windows 2008 then you are correct, it sounds like

If you are on a DFL of Windows 2008 then you are correct, it sounds like it
should work.  I wonder if it has to do with the fact that you are using a
legacy client.  Are you on DFL 2008?  Read paragraph 3, how does this answer
work in to your environment?


This policy setting controls whether or not the system displays information
about previous logons and logon failures to the user.

For local user accounts and domain user accounts in Microsoft Windows
Server "Longhorn" functional level domains, if you enable this setting, a
message appears after the user logs on that displays the date and time of
the last successful logon by that user, the date and time of the last
unsuccessful logon attempted with that user name, and the number of
unsuccessful logons since the last successful logon by that user. This
message must be acknowledged by the user before the user is presented with
the Microsoft Windows desktop.

For domain user accounts in Windows Server 2003, Windows 2000 native, or
Windows 2000 mixed functional level domains, if you enable this setting, a
warning message will appear that Windows could not retrieve the information
and the user will not be able to log on. Therefore, you should not enable
this policy setting if the domain is not at the Windows Server "Longhorn"
domain functional level.

If you disable or do not configure this setting, messages about the previous
logon or logon failures are not displayed.



--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

Hi Paul.I am not on a legacy client.

Hi Paul.

I am not on a legacy client. We are on vista sp2 with mstsc 6 or 7, oth have
the same problem, the legacy client on xp with mstsc 5.2 does NOT have the
problem.
The DFC is of course 2008 because [as you qoute yourself ;)]
Windows 2000 mixed functional level domains, if you enable this setting, a
warning message will appear that Windows could not retrieve the information
and the user will not be able to log on"

Please try to reproduce it.

Kind regards
Askesebrot

I do not have a lab at this moment to bring in an RODC but I think I

I do not have a lab at this moment to bring in an RODC but I think I know
someone else who might.  I will ask them to take a look and see is they can
reproduce this.  Can't promise anything though.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

Hello Askesebrot,I am working on it to reprodcuce your problem.

Hello Askesebrot,

I am working on it to reprodcuce your problem. On Windows server 2003 SP2
with RDC6.0.6000 installed it works, also on Windows server 2008 SP2 with
RDC6.0.6002. I can mail you some pictures with both working options shown.

Until next week when i am back in my office i cannot test with Windows XP,
Windows Vista and Windows 7 the version 6.1.7600, i am limited with the connection
to my test environment from home.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Thanks for helping out Meinolf!

Thanks for helping out Meinolf!

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

Hello Askesebrot,Also with RDC 7600 from Windows 7 and XP Pro Sp3 it works as

Hello Askesebrot,

Also with RDC 7600 from Windows 7 and XP Pro Sp3 it works as expected and
shows it.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Hi Meinolf. Thanks to you that you look after it.

Hi Meinolf. Thanks to you that you look after it.

I am sure we are not talking about the same thing, because for me it does
not work
-in our productive domain
-in my 2 test domains, one of those is a clean installation, no settings
made, 2008 SP2
-on a clean installed 2008 RTM (without AD)
The domains are of course at 2008 functional level.

Again: I am connecting from vista (or win7 or 2008) using the latest RDP
client 6.1.7600 but it is the same with 6.0.6002. It does not show logon
failures.
since your last interactive logon"
So tell me, what are you doing to make it work?

The only way I can make it work is use the legacy RDP 5.2.3790 - works
everywhere. Or of course login sitting at the machine- this works, too.

OK, so we are are indeed doing the same.

OK, so we are are indeed doing the same.
As it is happening with a clean installation of 2008 with absolutely no
settings made but that policy, it can only be a client-side-problem. But what
could it be? We do not use non-default rdp-settings, do you? Simply input the
server name, that is all, no further use of certificates, no vpn, no TS
gateway.
Also, as stated already in the first posting, not only logon failures are
missing, but also succesful logons. The info screen only shows the current
succesful logon time.
Where does this get logged and why should I lose the ability to log it when
I use RDP [and WHY could it work with the legacy client?] - very strange.

Getting closer!I am now able to reproduce the correct behavior!

Getting closer!
I am now able to reproduce the correct behavior! After providing wrong
credentials, I simply close the rdp client, reopen it and provide the correct
credentials - tada, it shows the last logon to be incorrect. Ain't that sweet?

Of course if I logoff and use the "standard" way, providing wrong creds, not
closing it and then correct creds, the problem returns immediately.