Interactive Logon Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Interactive Logon Tools

The following tools are associated with interactive logon.

EventViewer.msc: Event Viewer

Category

Event Viewer is included as part of the Windows Server 2003, Windows 2000, and Windows XP operating systems.

Version compatibility

Event Viewer is supported for Windows Server 2003, Windows XP, and Windows 2000.

The Event Log service starts automatically when you start Windows. The Event Log is a compilation of system events. There are three Event Logs: an application log, a system log, and a security log. All users can view application and system logs. Only administrators can gain access to security logs.

By default, security logging is turned off. You can use Group Policy to enable security logging. The administrator can also set auditing policies in the registry that cause the system to halt when the security log is full.

The system and security logs will contain logon error codes and other events related to interactive logon and network authentication.

The following table lists the event IDs that relate to interactive logon.

Interactive Logon Events

Event ID Description

528

Successful logon.

529

Logon failure. Unknown user name or bad password.

530

Logon failure. Account logon time restriction violation.

531

Logon failure. The account is currently disabled.

532

Logon failure. The specified user account has expired.

533

Logon failure. The user is not allowed to log on at this computer.

534

Logon failure. The user has not been granted the requested logon type at this computer.

535

Logon failure. The specified account’s password has expired.

536

Logon failure. The NetLogon component is not active.

537

Logon failure. An unexpected error occurred during logon.

538

User logoff. This event is generated when the logoff process is complete. A logoff is considered complete when the associated logon session object is deleted, which occurs after all tokens associated with the logon session are closed. This can take an arbitrarily long time; this event should not be used to calculate the total logon duration. Instead, use event 551.

539

Logon failure. Account locked out.

540

Successful network logon.

541

IPSec security association established.

542

IPSec security association ended. Mode: Data Protection (Quick mode).

543

IPSec security association ended. Mode: Key Exchange (Main mode).

544

IPSec security association establishment failed because peer could not authenticate. The certificate trust could not be established.

545

IPSec peer authentication failed.

546

IPSec security association establishment failed because peer sent invalid proposal.

547

IPSec security association negotiation failed.

548

Logon failure. Domain security identifier (SID) is inconsistent. This event is generated when a user account from a trusted domain attempts to authenticate, but the domain SID does not match the SID stored in the Trusted Domain Object (TDO).

549

Logon failure. All SIDs were filtered out. During authentication across forests, SIDs corresponding to untrusted namespaces are filtered out. This event is generated when all SIDs are filtered. This event is generated on the Kerberos Key Distribution Center (KDC).

This event is not generated on Windows Server 2003.

550

Notification message that can indicate a possible denial-of-service attack.

551

User-initiated logoff. This event is generated when the user initiates the logoff process. When the logoff process is complete, event 538 is logged.

552

Successful logon. This event is generated when a user logs on with explicit credentials while already logged on as another user. This event is logged when using the RunAs tool.

553

Logon failure. This event is generated when an authentication package detects a replay attack.

Lusrmgr.msc: Local Users and Groups

Category

Local Users and Groups is included as part of the Windows Server 2003, Windows XP Professional, and Windows 2000 operating systems and is available in the Windows Server 2003 Administration Tools Pack (Adminpak.msi).

Version compatibility

Local Users and Groups is supported for administering local groups on Windows Server 2003, Windows XP Professional, and Windows 2000.

Local Users and Groups manages users and groups of users for your computer. You can create new users and groups, add users to groups, remove users from groups, disable user and group accounts, and reset passwords.

You might need to be logged on as an administrator or a member of the Administrators group to perform some tasks.

Secpol.msc: Local Security Policy

Category

Local Security Policy is included as part of the Windows Server 2003, Windows XP, and Windows 2000 operating system tools and is available in the Windows Server 2003 Administration Tools Pack.

Version compatibility

Local Security Policy is supported for Windows Server 2003 and Windows 2000.

You can set security settings for the local computer in Local Security Policy.

For more information about security policy settings specific to interactive logons, see the “Interactive Logon Group Policy Settings” section later in this topic.

Whoami

Category

Whoami is a command-line tool in Windows Server 2003. This tool is also included in the Windows 2000 Resource Kit.

Version compatibility

Whoami is supported for Windows Server 2003 and Windows 2000.

You can use whoami to display the complete contents of a user’s access token in the command window.

Whoami displays:

  • User name and SID.

  • Groups and their SIDs.

  • Privileges and their status (for example, enabled or disabled).

  • Logon ID.

For more information about whoami, see “Command Line References” in Tools and Settings Collection.

Interactive Logon Registry Entries

The following registry entries are associated with interactive logon.

The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

HKEY_LOCAL_MACHINE\SYSTEM\

The following registry entries are located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\.

Bounds

Registry Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Version

The Bounds registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The Bounds entry specifies thresholds for managing the length of the kernel-mode Local Security Authority (LSA) audit queue. The audit queue stores kernel-mode events destined for the security log in Event Viewer.

The value of this entry is an 8-byte binary field. The value of the first four bytes specifies the maximum number of items that can be held in the audit queue (the upper bound). When the number of audits exceeds this value, the LSA discards all new audits until the number of audits remaining in the queue reaches the lower bound, as specified by the value of the last four bytes.

CrashOnAuditFall

Registry Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Version

The CrashOnAuditFall registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The CrashOnAuditFall entry directs the system to halt when it cannot record new events in the security log in Event Viewer. This feature prevents unauthorized activities from occurring when they cannot be recorded in the security log.

The system also uses this entry to indicate that this feature has been triggered (a value of 2). When the value of this entry is 2, only members of the Administrators group can log on to the computer. This restricted state lets an Administrator log on to resolve the problem and to reset the value of this entry to 1.

Typically, the system cannot record security events because the security log in Event Viewer is full or because the internal queue to the log has reached the maximum established by the Bounds value.

This entry does not exist in the registry by default. You can add it by using the registry editor, Regedit.exe.

Everyoneincludesanonymous

Registry Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Version

The Everyoneincludesanonymous registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The Everyoneincludesanonymous entry specifies whether the local Everyonegroup of users includes anonymous users. (The Everyone group is a generic group of users that includes all users.) Specifically, this entry determines whether the LSA includes the SID of the Everyone group in the security token of an anonymous user.

Kerberos

Registry Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Version

The Kerberos registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The Kerberos subkey stores configuration data for the Kerberos version 5 (V5) authentication protocol in Windows Server 2003. The Kerberos V5 protocol is the primary security protocol for authentication within a domain. It verifies the identity of the user and the system.

MSV1_0

Registry Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Version

The MSV1_0 registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The MSV1_0 subkey stores information about the computer’s security settings.

NoLMHash

Registry Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Version

The NoLMHash registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The NoLMHash value specifies whether Security Accounts Manager (SAM) stores the LAN Manager (LM) hash of the user’s password. The LM hash of the user's password is required to authenticate down-level clients that cannot use NTLM or NTLM version 2 (NTLMv2) authentication.

The following table lists the possible settings for the NoLMHash value.

NoLMHash Settings

Value Meaning

0

SAM stores the message digest of the user's password.

1

SAM does not store the message digest of the user’s password.

NotificationPackages

Registry Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Version

The NotificationPackages registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The NotificationPackages value specifies the dynamic-link libraries (DLLs) that are loaded or called when passwords are set or changed. This entry is often used to load libraries for services such as File and Print Services for NetWare.

You can use this entry to implement custom DLLs that specify alternate criteria for valid passwords, such as complex password rules. Notification packages that implement password verification are recommended for all primary and backup domain controllers (relevant for Windows NT 4.0 environments). You can also write a custom password filter to fulfill special security requirements.

RestrictAnonymous

Registry Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Version

The RestrictAnonymous registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The RestrictAnonymous value restricts anonymous users from displaying lists of users and from viewing security permissions.

The following table lists the possible settings for the RestrictAnonymous value.

RestrictAnonymous Settings

Value Meaning

0

Disabled. Anonymous users are not restricted.

1

Enabled. Users who log on anonymously (a logon referred to as a null session connection) cannot display lists of domain user names or share names. Also, these users cannot view security permissions; they cannot use all of the features of Windows Explorer, Local Users and Groups, and other programs that enumerate users or shares.

2

Anonymous users have no access without explicit anonymous permissions.

This entry does not exist in the registry by default. You can add it by using the registry editor, Regedit.exe.

HKEY_LOCAL_MACHINE\SAM

The following registry entry is located under HKEY_LOCAL_MACHINE\SAM.

SAM

Registry Path

HKEY_LOCAL_MACHINE\

Version

The SAM registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The SAM key contains information used by the SAM (Security Accounts Manager). Servers that are running Windows Server 2003 and are acting as domain controllers use this key to store user and group information pertaining to the directory service restore mode.

Domain controllers maintain user and group information in Active Directory to manage user security. However, Windows NT 4.0 and earlier, as well as Windows Server 2003-based computers that are not part of a Windows Server 2003 domain, use SAM. All of the data in this key is in binary form.

Note

The HKEY_LOCAL_MACHINE\Security\SAM subkey stores a duplicate of the information in this key. The information in the SAM subkey cannot be viewed by users of Windows XP Professional and should not be edited directly in Windows Server 2003. Do not alter or add entries in the SAM subkey. Doing so could prevent users from logging on to their computers or the domain, and it could require you to restore the entire system.

HKEY_CURRENT_USER\Software\

The following registry entries are located under HKEY_CURRENT_USER\Software\Windows NT\CurrentVersion\Winlogon\.

ReportDC

Registry path

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

Version

The ReportDC registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The ReportDC value stores the user setting for the domain controller message. (The computer setting is stored in the value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\ReportControllerMissing.)

This entry determines, in part, whether the system displays the following message when it cannot contact the domain controller that stores a user’s roaming user profile:

"A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes made to your profile since you last logged on might not be available."

This entry stores the setting of the Do not display this message again check box on the domain controller message dialog box. When the check box is selected, the system sets the value of this entry to 0.

The following table lists the possible settings for the ReportDC value.

ReportDC Settings

Value Meaning

0

Do not display the domain controller message. (The check box is selected.)

1 (or not in the registry)

Display the domain controller message. (The check box is cleared.)

Two registry entries manage the display of the domain controller message: ReportDC and ReportControllerMissing. The message is displayed only when both entries are set to their display setting, that is, when ReportDC is either set to 1 or does not appear in the registry and when ReportDomainControllerMissing appears in the registry with a value of TRUE. By default, the message is not displayed.

RunLogonScriptSync

Registry Path

HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\

Version

The RunLogonScriptSync registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The RunLogonScriptSync value specifies whether the system waits for the logon script to finish running before it starts Windows Explorer and creates the desktop.

The following table lists the possible settings for the RunLogonScriptSync value.

RunLogonScriptSync Settings

Value Meaning

0

The logon script and Windows Explorer can run simultaneously.

1

Windows Explorer does not start until the logon script has finished running.

This entry can be superceded by Group Policy settings included in Windows Server 2003. When the Run logon scripts synchronously Group Policy setting is enabled (in the Computer Configuration or User Configuration policy folders), the system ignores this entry. The configuration of the Run logon scripts synchronously policy setting is stored in the values of RunLogonScriptSync in HKEY_LOCAL_MACHINE and of RunLogonScriptSync in HKEY_CURRENT_USER.

HKEY_LOCAL_MACHINE\SOFTWARE\

The following registry entries are located under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\.

AutoRestartShell

Registry Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Version

The AutoRestartShell registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The AutoRestartShell entry specifies whether the Windows user interface (typically, Explorer.exe) restarts automatically if it stops unexpectedly.

CachePrimary

Registry Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Version

The CachePrimary registry setting appears in Windows Server 2003, Windows 2000, and Windows XP.

Windows Server 2003 does not use this entry. The entry remains in the registry to support programs designed for Windows NT 4.0 and earlier.

Note

Do not delete this entry from the registry or change its value. These changes can cause serious, unexpected results.

DCacheUpdate

Registry Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Version

The DCacheUpdate registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The DCacheUpdate entry stores domain names in binary form for internal Winlogon programming code to use.

Note

Winlogon stores the value of this entry for its own use. Do not delete this entry or change its value. If you do, Windows Server 2003 might not operate properly.

DefaultDomainName

Registry Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Version

The DefaultDomainName registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The DefaultDomainName entry stores the name of the domain to which the user most recently logged on successfully. The value of this entry appears in the Log On to Windows dialog box generated by the Graphical Identification and Authentication (GINA) DLL the next time the dialog box is displayed.

DefaultUserName

Registry Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Version

The DefaultUserName registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The DefaultUserName entry stores the last user name entered in the Log On to Windows dialog box generated by the GINA. The value of this entry appears in the dialog box the next time it is displayed. It is also used in automated logons and unattended setup.

DontDisplayLastUserName

Registry Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Version

The DontDisplayLastUserName registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The DontDisplayLastUserName entry specifies whether a user name appears in the Log On to Windowsdialog box generated by the GINA.

By default, Windows Server 2003 displays the user name of the last user who logged on successfully (as stored in the value of DefaultUserName) in the dialog box. If the value of this entry is 1, then the User name box in the Log On to Windows dialog box is blank.

RunLogonScriptSync

Registry Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Version

The RunLogonScriptSync registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The RunLogonScriptSync entry specifies whether the system waits for the logon script to finish running before it starts Windows Explorer and creates the desktop.

This entry does not exist in the registry by default. You can add it by using the registry editor, Regedit.exe.

ScreenSaverGracePeriod

Registry Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Version

The ScreenSaverGracePeriod registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The ScreenSaverGracePeriod entry specifies when password protection of a screen saver becomes effective. This entry specifies the delay between the appearance of a password-protected screen saver and the enforcement of the password requirement.

Password protection of a screen saver is not effective immediately. By default, a brief period elapses within which the user can use the mouse or the keyboard to stop the screen saver without entering the password. This delay is designed to minimize the disruption that results when the screen saver starts while the user is working.

You can add this entry to the registry to adjust the length of the delay. To make password protection effective immediately, set the value of this entry to 0x0.

This entry does not exist in the registry by default. You can add it by using the registry editor, Regedit.exe.

Shell

Registry Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Version

The Shell registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The Shell entry specifies the programs that provide the user interface to the operating system.

By default, Winlogon starts the programs specified in the value of Userinit, including Userinit.exe. Userinit.exe starts the user interface program. However, if Winlogon cannot start the programs specified in the value of Userinit, then Winlogon directly runs the programs specified in the value of this entry.

ShowLogonOptions

Registry Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Version

The ShowLogonOptions registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The ShowLogonOptions specifies whether logon options are displayed in the Log on to Windows dialog box when the dialog box opens.

The Log on to Windows dialog box has an Options button that alternately hides and displays the Domain box and the Log on using dial-up connection options.

Welcome

Registry Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Version

The Welcome registry setting is available in Windows Server 2003, Windows 2000, and Windows XP.

The Welcome entry specifies the text that appears in the caption bar beside the title of the Log On to Windows, Windows Security, Computer Locked, and Unlock Computer dialog boxes.

This entry does not exist in the registry by default. You can add it by using the registry editor, Regedit.exe.

Interactive Logon Group Policy Settings

The following table lists and describes the Group Policy settings that are associated with Logon.

Group Policy Settings Associated with Interactive Logon

Group Policy Setting Description

Password Policy:

  • Enforce password history

  • Maximum password age

  • Minimum password age

  • Minimum password length

  • Password must meet complexity requirements

  • Store password using reversible encryption for all users in the domain

Changes to the Password Policy settings control:

The strength and complexity required of every user’s password

Audit Policy:

  • Audit account logon events

  • Audit account management

  • Audit logon events

Changes to the Audit Policy settings control:

  • Auditing of logons and logoffs

  • Auditing of password and permissions changes

User Rights Assignment:

  • Access the computer from the network

  • Deny logon as a batch job

  • Deny logon as a service

  • Deny logon locally

  • Deny logon through terminal services

  • Logon as a batch job

  • Logon as a service

  • Logon locally

Changes to the User Rights Assignment settings control:

  • Which users are allowed or disallowed to log on to perform different tasks, including logging on as a batch job and a service

  • Which users are allowed or disallowed to log on locally or through Terminal Services, as well as who can access the computer from the network

Security Options:

  • Accounts: Limit local accounts use of blank passwords to console logon only

  • Domain member: Maximum machine account password age

  • Domain member: Require strong (in Windows 2000 or later) session key

  • Interactive logon: Do not display last user name

  • Interactive logon: Do not require CTRL+ALT+DEL

  • Interactive logon: Message Text for users attempting to log on

  • Interactive logon: Message title for users attempting to log on

  • Interactive logon: Number of previous logons to cache (in case the domain controller is not available)

  • Interactive logon: Require domain controller authentication to unlock workstation

  • Interactive logon: Smart card removal behavior

  • Recovery console: Allow automatic administrative logon

  • Shutdown: Allow system to be shut down without having to log on

Changes to the Security Options settings control:

  • Message text and title displayed by the GINA during an interactive logon

  • Domain member settings

  • Authentication settings, including allowing or disallowing blank passwords and password age

For more information about Group Policy settings, see the "Group Policy Settings Reference for Windows Server 2003" in Tools and Settings Collection.

Interactive Logon WMI Classes

The following table lists the WMI classes that are associated with interactive logon.

WMI Classes Associated with Interactive Logon

Class Name Namespace Version Compatibility

Win32_LogonSession

\root\cimv2

Windows Server 2003

Windows XP

Win32_LogonSessionMappedDisk

\root\cimv2

Windows Server 2003

Windows XP

For more information about these WMI classes, see the WMI SDK documentation on MSDN.

Network Ports Used by Interactive Logon

Because the logon process can be deployed across various network boundaries, it can span one or more firewalls. The following table lists the three main configurable ports used by interactive logon.

Port Assignments for Interactive Logon

Service Name UDP TCP

LSA RPC port

Dynamic RPC

Dynamic RPC

Kerberos V5 port

88

88

NTLM port

Dynamic

Dynamic

You can use the Registry Editor tool to modify the registry to apply fixed ports for NTLM and the LSA.

The following resources contain additional information that is relevant to this section.