I enabled Display information about previous logons during user logon in Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options thinking that it would work on Server 08, setup for 03+ DC's, and I was wrong...

Now, whenever I try to logon to the server, I get "Security policies on this computer are set to display information about the last interactive logon. Windows could not retrieve this information. Please contact your network administrator for assistance."

Now, I since I have additional Domain Admins, I attempted to logon to a workstation (Vista) as a Domain Admin... Surprise, can't login there either. It's telling me my password is incorrect. I'm pretty sure I got it right, and have locked myself out a few times by checking my old passes...

Thankfully, this Domain isn't in use by any production clients, however I really want to save the work that I already have on this PDC (btw, it's not just a PDC, it has additional roles installed, as it isn't a production machine).

Is there any way I can save this machine?

Read this blog post please. This feature is supposed to work correctly only on 'Windows Server 2008' domain functional level.

Well, I think you should now do something to disable that policy. Then you will be able to log on to Vista normally. So you can do the following;

1. Log on to Vista workstation using a local acconut. (This is not required if you can reach one of your Domain Controllers directly).

2.Log onto any of your domain controllers using Termianl Services (Remote Desktop).

3. Edit the policy (disable setting), disable the entireGPO or just deleteits link.

4. Log offthe domain controller.

5. Do 'gpupdate /force' at your Vista workstation.

6. Log off Vista.

7. Log on using regular domain account should now succeed.

Good Luck. Please tell if this helps.

• Proposed as answer by Aaron DeMaster - RSIEH Thursday, March 01, 2012 7:27 PM

Hi,

I am a little unclear about this issue.

1. Would you please provide the topology of the forest? What the role of Windows Server 2008 server? An additional domain controller or a domain controller of another domain.

2. Where you enable the 'Display information about previous logons during user logon' setting? On the server's local computer policy or a domain group policy.

In Windows Server 2008 Domain Function Level domain, group policy setting 'Display information about previous logons during user logon' will be available as a new feature. It extend the Schema, add these attributes on the user account object.

msDS-FailedInteractiveLogonCount
msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon
msDS-LastFailedInteractiveLogonTime
msDS-LastSuccessfulInteractiveLogonTime

Once this setting is applied to the computers, only users that in the domain with Windows Server 2008 DFL can logon to these computers. It prevent users in the domains with Windows Server 2003 DFL to logon to the computers in Windows Server 2008 DFL domains.

You should disable this setting to enable the cross-domain interactive logon.

@ :

This Server does not have RDP enabled.

I can access it locally, however the Administrator account won't login and fails with the original error that I mentioned.

@ Miles Li MSFT:

1) The server is the only Domain Controller on the domain. There is only one domain in the forest. This is just a very simple testing network.

2) It was enabled in the Domain GPO.

Also, Windows XP workstations have no problem logging onto a domain account interactively.

OK, so there are no pre-08 domain controllers but there are some pre-Vista desktops. So you can use your XP workstation. Just log on there and install GPMC. Then you will be able to unlink the GPO that prevents you from logging on from Vista and Server 2008.

for that feature also se:

http://blogs.dirteam.com/blogs/jorge/archive/2008/02/11/showing-last-logon-info-at-logon-in-windows-server-2008.aspx

what you could do is force reboot the DC, or do a remote shutdown from some machine if possible

reboot the DC into Safe Mode with Networking (in this mode, GPOs are not applied to the DC)

logon with Domain Admin account

use the GPMC to disable that feature

I just ran into this problem as well. The Safe Mode boot and policy edit saved me. There REALLY should be some sort of check by the OS that displays a warning message (or better yet locks this policy out) if the server is not part of a 2008 level domain.

Have you ever resolved this?  I have tried the Safe Mode option, but GPMC does not seem to be an option.  Any additional help?


***EDIT***

After a couple of sleepless nights, I did finally get this resolved (before my coworkers returned to work).  This is how my solution was performed:

1.  Downloaded and installed GPMC for Windows XP and installed it on one of my XP workstations since it was not affected by the policy.
2.  Once GPMC was installed on the XP workstation, I started and GPMC and was able to see my domain wide group policies.
3.  I deleted the policy where I had enabled the "Display information about previous logons during user logon" policy.

• Proposed as answer by denwood Wednesday, January 06, 2010 3:58 AM

Thanks for the information - just saved my test network!

In XP GPMC you can simply disable the User and Computer policies if you don't want to delete the whole policy then once you can log back in just edit the “Display information about previous logons during user logon” in Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options and DISABLE it.

that worked for me and I could retain my GPOs.

 

_Chris

Thanks to you guys the following steps helped me

1. Make shure you have GPMC installed on a another server or workstation
2. Run gpedit.msc /gpcomputer:"192.168.1.6" (Name or IP of your server)
3. change the policy (see above)
4. rund cmd and type gpudate

• Edited by Samos 6 hours 26 minutes ago