Logon history display

Posted on 2006-06-29
Last Modified: 2013-12-04

I am the Sys. Admin for a US Military unit. "The Powers that be" have mandated some changes to our configuration and some of the solutions to their requirements elude me. I need to know how, if possible, to do the following. References would be greatly appreciated for the requirements that cannot be fulfilled.

1) Enforce different password lengths for users and administrators.
2) Increase the requirements for special characters used in passwords (i.e. 2 capital letters, 2 numbers and 2 special characters), beyond that already required when "Password must meet complexity requirements" is enabled in the Default Domain Policy.
3) Upon successful login have a pop up display the last successful login by that user and all unsuccessful attempts since then.

I thank you in advance for your help.

Question by:mack6565
LVL 32

Expert Comment

ID: 17015495
Here's a good link to start with:

Also, there are some good articles here:

Re. passwords, I think it is better to have long passwords and not worry so much about complexity, as long as simple names and dictionary words are avoided.

Author Comment

ID: 17015526
Here is a bit of amplifying information.

1) Our Domain here is a Windows 2000 Native domain. One Forest with one domain.
2) All Windows 2000 workstations.
3) We already enforce the use of strong passwords.

I did not come up with these requirements, some people with a lot more seniority did. It seems as if they sat around a table and came up with these requirements, but never asked anyone with Systems experience if these new security measures are a good idea or if they are even able to be implemented.

Thank you.
LVL 38

Expert Comment

by:Rich Rumble
ID: 17019515
Where would you like the pop-up? On the pc the current user is logging into, or to an administrators machine? You can easily do this sort of activity with tool like Snare or Gfi's SELM:
You can recieve email reports, or alerts depending on how you configure the devices. They also keep a copy of the Event log's, so if someone were to erase their log's you may still have a back up copy using those tools. If it has an event associated with it, those two tools can alert you to it. Typically you want to increase the level of logging on machines and servers, the default logging is minimal on M$ by default.

As for a pop-up, you could use various scripts to do this, here is an example:
Scripts like that can easily be modified to send a pop-up.

Event log GP

Stong Password GP

Accepted Solution

Chatable earned 500 total points
ID: 17023466
You can define your own passwod policy for Windows if you have some programming knowledge. You will need to create a "password filter" DLL file. This file contains the actual code that runs when a user attempts to change passwords and the "Passwords must meet complexity requirements" policy is on. In other words, it allows you to define your own complexity settings.

So what do you need to do? You need to create a DLL file which exports the following functions:

BOOLEAN __stdcall InitializeChangeNotify(void);
This function will be called a single time when the computer boots - If you need to do any initialization stuff, do it here and return true (return false on error). If you don't have any initialization stuff, just return true.

BOOLEAN __stdcall PasswordFilter(
  BOOLEAN SetOperation
This is the real interesting function. It will be called whenever a user attempts to chage his/her password. The parameter "AccountName" contains the username of the account whose password is being changed. If you want to set different policies for users and administrators, you can check if this user is an administrator and act accordingly. "FullName" contains the full name record for the user (not really interesting), "Password" contains the new password - This is the string you should check for your desired complexity requirements. SetOperation will be TRUE if an administrator is resetting the password (rather than a user changing his/her own password).
If the new password is acceptable according to your policy, return true. If not, return false. That would reject the new password and display a message to the user that the password is not strong enough. Unfortunately I don't know any method to change this message (so it can explain what the password policy is) so you should make sure all your users already know what is the password policy.

NTSTATUS __stdcall PasswordChangeNotify(
  ULONG RelativeId,
This function will be called once the password has changed. This one is needed because Windows allows you to install multiple password filters and *all* filters must accept the new password before the system sets it as the new one. In other words, even if you've accepted the new password (through the PasswordFilter function) it doesn't mean it has been accepted by the system because another password filter may have rejected it. When this function is called, it notifies you that all filters have accepted the new password, that that the password had actually changed.

Once you've created your DLL file, install it by copying it to the system32 folder and editing the key:
Modify the "Notification Packages" value, which is of type REG_MULTI_SZ. It should contain "scecli" - That's the default password filter (it checks for a single letter from at least 3 of the character groups). Just add the name of your DLL file (no need for the ".dll" extension) as a new string (or replace the existing one if you don't want it). You can create a startup script that will install the new filter on all computers in your domain. Then simply enable the "Passwords must meet complexity requirements" policy and that's it.

For more information visit:

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
antivirus on mac 8 80
How to implement SSO? 22 83
Security Permissions Issues 10 79
Should One Always Sign Out Of Admin User A/C 5 74
In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
In an interesting question ( here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question