Logon history display


I am the Sys. Admin for a US Military unit. "The Powers that be" have mandated some changes to our configuration and some of the solutions to their requirements elude me. I need to know how, if possible, to do the following. References would be greatly appreciated for the requirements that cannot be fulfilled.

1) Enforce different password lengths for users and administrators.
2) Increase the requirements for special characters used in passwords (i.e. 2 capital letters, 2 numbers and 2 special characters), beyond that already required when "Password must meet complexity requirements" is enabled in the Default Domain Policy.
3) Upon successful login have a pop up display the last successful login by that user and all unsuccessful attempts since then.

I thank you in advance for your help.

Who is Participating?
ChatableConnect With a Mentor Commented:
You can define your own passwod policy for Windows if you have some programming knowledge. You will need to create a "password filter" DLL file. This file contains the actual code that runs when a user attempts to change passwords and the "Passwords must meet complexity requirements" policy is on. In other words, it allows you to define your own complexity settings.

So what do you need to do? You need to create a DLL file which exports the following functions:

BOOLEAN __stdcall InitializeChangeNotify(void);
This function will be called a single time when the computer boots - If you need to do any initialization stuff, do it here and return true (return false on error). If you don't have any initialization stuff, just return true.

BOOLEAN __stdcall PasswordFilter(
  BOOLEAN SetOperation
This is the real interesting function. It will be called whenever a user attempts to chage his/her password. The parameter "AccountName" contains the username of the account whose password is being changed. If you want to set different policies for users and administrators, you can check if this user is an administrator and act accordingly. "FullName" contains the full name record for the user (not really interesting), "Password" contains the new password - This is the string you should check for your desired complexity requirements. SetOperation will be TRUE if an administrator is resetting the password (rather than a user changing his/her own password).
If the new password is acceptable according to your policy, return true. If not, return false. That would reject the new password and display a message to the user that the password is not strong enough. Unfortunately I don't know any method to change this message (so it can explain what the password policy is) so you should make sure all your users already know what is the password policy.

NTSTATUS __stdcall PasswordChangeNotify(
  ULONG RelativeId,
This function will be called once the password has changed. This one is needed because Windows allows you to install multiple password filters and *all* filters must accept the new password before the system sets it as the new one. In other words, even if you've accepted the new password (through the PasswordFilter function) it doesn't mean it has been accepted by the system because another password filter may have rejected it. When this function is called, it notifies you that all filters have accepted the new password, that that the password had actually changed.

Once you've created your DLL file, install it by copying it to the system32 folder and editing the key:
Modify the "Notification Packages" value, which is of type REG_MULTI_SZ. It should contain "scecli" - That's the default password filter (it checks for a single letter from at least 3 of the character groups). Just add the name of your DLL file (no need for the ".dll" extension) as a new string (or replace the existing one if you don't want it). You can create a startup script that will install the new filter on all computers in your domain. Then simply enable the "Passwords must meet complexity requirements" policy and that's it.

For more information visit:
Here's a good link to start with:


Also, there are some good articles here:


Re. passwords, I think it is better to have long passwords and not worry so much about complexity, as long as simple names and dictionary words are avoided.
mack6565Author Commented:
Here is a bit of amplifying information.

1) Our Domain here is a Windows 2000 Native domain. One Forest with one domain.
2) All Windows 2000 workstations.
3) We already enforce the use of strong passwords.

I did not come up with these requirements, some people with a lot more seniority did. It seems as if they sat around a table and came up with these requirements, but never asked anyone with Systems experience if these new security measures are a good idea or if they are even able to be implemented.

Thank you.
Rich RumbleSecurity SamuraiCommented:
Where would you like the pop-up? On the pc the current user is logging into, or to an administrators machine? You can easily do this sort of activity with tool like Snare or Gfi's SELM: http://www.intersectalliance.com/projects/SnareWindows/  http://www.gfi.com/lanselm/
You can recieve email reports, or alerts depending on how you configure the devices. They also keep a copy of the Event log's, so if someone were to erase their log's you may still have a back up copy using those tools. If it has an event associated with it, those two tools can alert you to it. Typically you want to increase the level of logging on machines and servers, the default logging is minimal on M$ by default.

As for a pop-up, you could use various scripts to do this, here is an example:  http://www.microsoft.com/technet/scriptcenter/resources/qanda/jan05/hey0126.mspx
Scripts like that can easily be modified to send a pop-up.  http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx

Event log GP

Stong Password GP
All Courses

From novice to tech pro — start learning today.