What is Interactive Logon?

Similar Messages

• RSOP: Interactive logon: Prompt user to change password before expiration

  Hi,
  I am trying to implement a GPO so that users are prompted to change their password 5 days before it expires. I have done this via -
  Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Enabled
  Interactive Logon: Prompt user to change password before expiration
  Despite doing the above the GPO does not seem to be taking effect. I have run RSOP on my machine and a few users machines and can see that there is a red circle with an X next to
  Interactive Logon: Prompt user to change password before expiration.
  Below is my winlogon.log file but I am not really sure what I am supposed to be looking for. Can anyone help?
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkSite GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{91EDC47D-AACF-4DFE-B044-5D29500CECBE}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\SysVol\**************.co.uk\Policies\{DDE2DDB7-9802-415B-819E-1ADA496DC3E6}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\SysVol\**************.co.uk\Policies\{6422C1A4-D958-4F4B-A8AA-EBACC567BD19}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
  No template is defined in GPO \\**************.co.uk\SysVol\**************.co.uk\Policies\{43F654AA-56D5-4F2C-B357-1AFEE03D37F2}\Machine.
  Process GP template gpt00000.inf.
  This is not the last GPO.
  08 March 2015 23:06:35
  Copy undo values to the merged policy.
  ----Un-initialize configuration engine...
  Process GP template gpt00001.dom.
  This is not the last GPO.
  08 March 2015 23:06:36
  ----Un-initialize configuration engine...
  Process GP template gpt00002.dom.
  This is not the last GPO.
  08 March 2015 23:06:36
  ----Un-initialize configuration engine...
  Process GP template gpt00003.dom.
  This is not the last GPO.
  08 March 2015 23:06:36
  ----Un-initialize configuration engine...
  Process GP template gpt00004.inf.
  08 March 2015 23:06:36
  ----Configuration engine was initialized successfully.----
  ----Reading Configuration Template info...
  ----Configure User Rights...
  Configure S-1-5-32-544.
  Configure S-1-5-21-778002760-1239436532-1307212239-1002.
  Configure S-1-5-21-778002760-1239436532-1307212239-1016.
  Configure S-1-5-21-778002760-1239436532-1307212239-4078.
  Configure S-1-5-21-778002760-1239436532-1307212239-512.
  Configure S-1-5-21-778002760-1239436532-1307212239-500.
  Configure S-1-5-21-778002760-1239436532-1307212239-513.
  User Rights configuration was completed successfully.
  ----Configure Group Membership...
  Configure **************\Local Admins for Users.
  old memberof tattoo list: *S-1-5-32-555,*S-1-5-32-544,
  object already member of Administrators.
  object already member of Remote Desktop Users.
  new memberof tattoo list: *S-1-5-32-555,*S-1-5-32-544,
  Group Membership configuration was completed successfully.
  ----Configure Security Policy...
  Configure password information.
  Configure account force logoff information.
  System Access configuration was completed successfully.
  Configure machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning.
  Configure machine\software\microsoft\windows\currentversion\policies\system\enableinstallerdetection.
  Configuration of Registry Values was completed successfully.
  Audit/Log configuration was completed successfully.
  ----Configure available attachment engines...
  Configuration of attachment engines was completed successfully.
  ----Un-initialize configuration engine...
  this is the last GPO.
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkSite GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{91EDC47D-AACF-4DFE-B044-5D29500CECBE}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\SysVol\**************.co.uk\Policies\{DDE2DDB7-9802-415B-819E-1ADA496DC3E6}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\SysVol\**************.co.uk\Policies\{6422C1A4-D958-4F4B-A8AA-EBACC567BD19}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
  No template is defined in GPO \\**************.co.uk\SysVol\**************.co.uk\Policies\{43F654AA-56D5-4F2C-B357-1AFEE03D37F2}\Machine.
  Process GP template gpt00000.inf.
  This is not the last GPO.
  09 March 2015 16:26:51
  Copy undo values to the merged policy.
  ----Un-initialize configuration engine...
  Process GP template gpt00001.dom.
  This is not the last GPO.
  09 March 2015 16:26:51
  ----Un-initialize configuration engine...
  Process GP template gpt00002.dom.
  This is not the last GPO.
  09 March 2015 16:26:51
  ----Un-initialize configuration engine...
  Process GP template gpt00003.dom.
  This is not the last GPO.
  09 March 2015 16:26:51
  ----Un-initialize configuration engine...
  Process GP template gpt00004.inf.
  09 March 2015 16:26:51
  ----Configuration engine was initialized successfully.----
  ----Reading Configuration Template info...
  ----Configure User Rights...
  Configure S-1-5-32-544.
  Configure S-1-5-21-778002760-1239436532-1307212239-1002.
  Configure S-1-5-21-778002760-1239436532-1307212239-1016.
  Configure S-1-5-21-778002760-1239436532-1307212239-4078.
  Configure S-1-5-21-778002760-1239436532-1307212239-512.
  Configure S-1-5-21-778002760-1239436532-1307212239-500.
  Configure S-1-5-21-778002760-1239436532-1307212239-513.
  User Rights configuration was completed successfully.
  ----Configure Group Membership...
  Configure **************\Local Admins for Users.
  old memberof tattoo list: *S-1-5-32-555,*S-1-5-32-544,
  object already member of Administrators.
  object already member of Remote Desktop Users.
  new memberof tattoo list: *S-1-5-32-555,*S-1-5-32-544,
  Group Membership configuration was completed successfully.
  ----Configure Security Policy...
  Configure password information.
  Configure account force logoff information.
  System Access configuration was completed successfully.
  Configure machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning.
  Configure machine\software\microsoft\windows\currentversion\policies\system\enableinstallerdetection.
  Configuration of Registry Values was completed successfully.
  Audit/Log configuration was completed successfully.
  ----Configure available attachment engines...
  Configuration of attachment engines was completed successfully.
  ----Un-initialize configuration engine...
  this is the last GPO.
  Jeet S

  ******UPDATE******
  I think I have managed to get this working. I changed the source of the policy to a different GPO. I then did the following -
  From a command prompt run gpupdate (without the force parameter)
  Ran rsop.msc and checked the policy and this time there was no red circle with an X
  Have done the same on a few users machines and it appears to apply successfully. I say this because when you go into the properties for the policy you see the following -
  The policy XYZ was correctly applied
  Just have to wait and see if it actually does what it says on the can.
  Jeet S

• Smart card required for interactive logon

  Hi ,
  what is the meaning of these in AD. These options are available in user properties in the Account TAb.
  1-Smart card required for interactive logon.
  2-Account is trusted for delegation
  3-Account is senstive cant be delegated
  4-Use kerberos DES
  5-Dont Require Kerberos
  Regards
  Anil

  Hello,
  You will have to logon to domain using a Smart Card. Interactive logon: Require smart card
  Allows a service running under this account to perform operations on behalf of other user accounts on the network. A service running under a user account (otherwise known as a service account) that is trusted for delegation can impersonate a client to gain
  access to resources on the computer where the service is running or to resources on other computers
  You can use this option if the account, for example a Guest or temporary account, cannot be assigned for delegation by another account.
  Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption.
  Provides support for alternative implementations of the Kerberos protocol.
  For a full explanation refer to below links:
  Understanding User Accounts
  Delegating authentication
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• What is interactive report , difference bet interactive and classic report

  what is interactive report , difference bet interactive and classic report

  Hi
  Check this thread to get more idea about ALVs.
  Interactive ALV
  DIRLL DOWN AND INTERACTIVE REPORT
  http://www.sap-img.com/abap/difference-between-drilldown-report-and-interactive-report.htm
  As the name suggests, the user can Interact with the report. We can have a drill down into the report data. For example, Column one of the report displays the material numbers, and the user feels that he needs some more specific data about the vendor for that material, he can HIDE that data under those material numbers.
  And when the user clicks the material number, another report (actually sub report/secondary list) which displays the vendor details will be displayed.
  We can have a basic list (number starts from 0) and 20 secondary lists (1 to 21).
  Events associated with Interactive Reports are:
  AT LINE-SELECTION
  AT USER-COMMAND
  AT PF<key>
  TOP-OF-PAGE DURING LINE-SELECTION.
  HIDE statement holds the data to be displayed in the secondary list.
  sy-lisel : contains data of the selected line.
  sy-lsind : contains the level of report (from 0 to 21)
  Interactive Report Events:
  AT LINE-SELECTION : This Event triggers when we double click a line on the list, when the event is triggered a new sublist is going to be generated. Under this event what ever the statements that are been return will be displayed on newly generated sublist.
  AT PFn: For predefined function keys...
  AT USER-COMMAND : It provides user functions keys.
  TOP-OF-PAGE DURING LINE-SELECTION :top of page event for secondary list.
  http://abapprogramming.blogspot.com/search/label/INTERACTIVE%20REPORT%20BASICS

• Is their a way to log whether interactive logons have taken place

  Hi Gurus,
  We need to change the service userID to System type, and ensure that all functionality continues to work in Production systems. (The userID embedded into RFC connections)
  Before changing the user type for the userid  I would like to know if there is any way to log whether interactive logons have taken place for the Service user.
  We need to ensure that everything works when the userID is changed to System.
  Please let me know if there is any to see the log for the service user which had interactive logons.
  Regard's

  Salman,
  Yes salman, you need to create profile and then activate it.
  In SM18 you can define the days for which you want to keep the logs it depends on the company policy and size of log
  In SM19 Activate the profile required for audit log like for all users you can activate only critical events while for critical users select all events.SM20 you will just use for the reading the logs. (if required)
  http://searchsap.techtarget.com/tip/SAP-security-audit-log-setup (ECC6)
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0bfafc5-0709-2d10-2fb9-e8c9e7525d5b?quicklink=index&overridelayout=true    for (ECC)
  http://www.sap-img.com/basis/the-step-required-to-audit-at-the-user-level.htm
  http://www.erpgenie.com/sap-technical/basis/the-step-required-to-audit-at-the-user-level
  NOTE: 
  Activating the audit log
  The following instance profiles must be set in order to activate audit logging (use transaction RZ10 to do so
  rsau/enable: Set to 1 to activates audit logging
  rsau/loc
  Thanks,
  Sri

• Interactive logon process initialization has failed after system state is restored from backup

  Recently one of my Windows 2008 server was restored from system state backup, and below error appears before during startup, before logon screen:
  "interactive logon process initialization has failed. please consult the event log for more details"
  I do not have recovery disk, also repair didn't work, any other solutions?
  Thanks.

  Hi Justin,
  I would suggest you to use sfc to check if there is any systemfiles corrupted :
  1. boot from cd
  2.  sfc /scannow /offbootdir=X:\ /offwindir=Y:\windows (X  is boot partition , Y is windows system files partition )
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Remote Desktop Connection Crashes after Interactive Logon

  We have a GP on our domain with an interactive logon set. When using RDConnection to logon to a Win10 10074 machine on the doamin, as soon as I click the OK button to get past the interactive logon the RDC crashes and I am back to my desktop. If I take that
  Win10 off of the domain and remove the interactive logon, I can use RDC like normal. Interactive logon is an enforced top level domain policy. It was fine in build 10041.
  FYI? Suggestions? TY
  (I updated a second Win10 to 10074 and the same thing is happening.)

  I found the answer here.
  http://community.spiceworks.com/topic/926475-unable-to-rdp-to-windows-10-machine-after-latest-build-10074
  Joey Kobra Apr
  30, 2015 at 1:58 PM 
  1ST POST
  This is probably due to the new LogonUI. Verify on the Event Manager if its failing. If that's your issue then try this in REGEDIT:
  HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\TestHooks
  change Threshold from 1 to 0
  This should revert back to the old login screen.

• What are interactive form fields

  I found a sample template online that I would like to use, I saved it in my documents and now I can not edit it, what do I need to do?

  Hi ,
  Referring to the following document you could more information about form fields.It will cover everything related to interactive form fields.Please have a look .
  http://www.adobe.com/content/dam/Adobe/en/accessibility/products/acrobat/pdfs/acrobat-xi-a ccessible-forms.pdf
  As far the template is concerned ,please explain more about that .
  What kind of template it is ?
  How do you want to edit it and what are the challenges are you facing while trying to edit it ?
  What version of Acrobat are you using?
  Also ,what OS do you work on ?
  Please provide us the mentioned information so that we can assist accordingly .
  Regards
  Sukrit Dhingra

• Testing Interactive Form Logon Displays Odd Color Scheme

  For over a year we have been using this one interactive form.  The color scheme, when logging into this form, has changed. The developer who created the form has made no changes, and I do not know of any changes on the Basis side that would cause this.
  When I test the form from SICF, the initial logon screen has a black background and the logon window where we enter the username and password is outlined in blue. Once I log into the form, it displays properly. Any ideas on what may be causing this form to display in this odd manner?
  I know it is just the colors and the form itself still works, but some endusers find it hard to read the logon screen when it displays like this.
  Thanks,

  Goto transaction SICF.
  Under default_host>sap>bc>webdynpro>sap>(name of interactive form) - double click on the form
  Select Error Pages Tab, within the Create/Change Service window that is now open. Switch to change mode, and Scroll down the page to select the configuration button. 
  This opens the System Logon Configuration Window and under Logon Layout and Procedures you will see two options. SAP Implementation and User-Specific. SAP Imlpementation has a Tmpl (Template) and SAP ICON selection. User-Specifc has a class your developer would have created. You select which option and settings for that option you want. Then select the adjust Links and Images. When I made these changes, it asked me for a transport.
  Once you have applied the changes, created the transport and saved everything. You will now be able to run a test of the form from SICF to see what the new logon layout looks like. You just transport the change through the rest of your systems.
  Edited by: David Harris on Jan 20, 2010 8:52 PM

• What does "Logon Process: Ginabkg" mean?

  Today I got two events like this
  event id 528
  "Successful Logon: User Name: xxxx Domain: yyyy Logon ID: (0x0,0x5929E) Logon Type: 2 Logon Process: GinaBkg Authentication Package: Negotiate Workstation
  Both after an event id 528 with logon type 11 and logon Process: user32 and the same user.
  What does "Logon Process: Ginabkg" mean?
  This PC is a Windows XP SP3 client and the server is Windows Advanced Server 2000.
  In some forums I found that this related to Novell Client but this PC doesn`t have it installed.
  Best Regards and thanks in advance.

  Hi,
  I wasn’t able to find any specific information about “Ginabkg”.
  Though, GINA (Graphical Identification and Authentication) is a DLL module that operates in the security context of Winlogon.
  Here are some related articles below for you:
  GINA
  https://technet.microsoft.com/en-us/network/aa375457%28v=vs.80%29?f=255&MSPPError=-2147217396
  How Interactive Logon Works
  https://technet.microsoft.com/en-us/library/cc780332%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• What is the Interactive account in the security tab of program shortcuts

  Right click on firefox ICON
  Click Properties
  Click Security
  Under these list the group or user names
  There is one called INTERACTIVE
  What is INTERACTIVE for? What does it mean? Should it be removed? Is it a virus or a hacker?

  I don't think you can or should try to remove it. That said, I don't really understand how it works. This discussion tries to explain it, but... [http://serverfault.com/questions/188115/what-is-windows-interactive-user What is windows "interactive user"? - Server Fault]

• What is logon keychain in icloud

  What is a logon keychain in icloud????

  A way to simplify remembering your confidential username/passwords, across Apple devices like Macs/iPhones/iPads. This should increase your security, if you do it right. Read this:
  How to use iCloud Keychain (Macworld)

• What is the Best way to apply granular password policy

  I am trying to apply Fine Grain Password Policy in small groups to my users, I have set the password expiry to 10 days
  for testing. But the moment I apply the policy, users start getting password change notifications immediately, Outlook or
  Lync start asking for a new password.
  Should it not wait for 5 days to start poping-up on the clients that they have 5 days left to change there passwords.
  What is the best I can do not to disturb the users, I cannot do this at night because most users have mobile devices. Windows 2012

  Hi Petro,
  In addition to Mihai's answer, also consider checking/changing the 'Interactive logon: Prompt user to change password before expiration' which by default is 14 days. I think there is a default notice period of 5 days but for Windows 7 or 2008 R2
  servers that don't have a Group policy overriding the local policy (not domain joined). I am not sure how that applies to 2012. So if you haven't changed that to 5 days, it might be the cause of the problem.
  On a PSO object I don't think you can set the password change notification.
  The settings can be found in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration.
  References:
  http://technet.microsoft.com/en-us/library/jj852243.aspx- Interactive logon: Prompt user to change password before expiration
  http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx - PSO Step Guide
  http://mariusene.wordpress.com/

• Problem with Policy "Display information about previous logons during user logon"

  Hello,
  I've a problem with the Policy "Setting Display information about previous logons during user logon".
  It is applied correctly on computer, but I can't login anymore and message "Security policies on this computer are set to display information about the last interactive logon. Windows could not retrieve this information. Please contact your network administrator
  for assistance" is appearing.
  My home test domain has 2008 R2 functionality level since months, and I've raised my company infra level functionality to 2012 this morning. Both domain are making the same error.
  This is non-sense, so any idea how to troubleshoot it ? Thanks in advance ! ;-)
  PS : I was able to remove it in order to login again, no worries on this one...

  Did you follow the guidance in http://technet.microsoft.com/en-us/library/dd446680%28v=ws.10%29.aspx?
  Especially the following paragraph - the setting has to be applied to DCs and Members...:
  You configure last interactive logon through a GPO. You must configure the following setting for the GPO with domain controllers in its scope of management if you want to report last interactive logon information to the directory service:
  Computer Configuration| Policies | Administrative Templates | Windows Components | Windows Logon Options | Display information about previous logons during user logon = Enabled
  If you want to display last interactive logon information to the user, you must configure this setting for both the GPO with domain controllers in its scope of management as well as any GPO with Windows Server 2008 and Windows Vista client
  computers in its scope of management.
  Martin
  NO THEY ARE NOT EVIL, if you know what you are doing:
  And if IT bothers me - :))
  Restore the forum design -
  Martin-
  I'm struggling with the TechNet article you direct us to.  We see in the TechNet article that Last Login Notification works ONLY with Server 2008 R2 and Vista.  Do we interpret that correctly?
  We need it to work with Server 2003, Server 2008, Win7, Win8, Win8.1, Server 2012, et. al.
  What is the work around to enable *Last Login Notifications to Users* functionality for these OSs?
  Thanks in advance,
  Robin

• Do not require smartcard for specific user logon

  Hi everyone!
  I set up a GPO setting for some application server "Interactive logon: Require smart card" to "enabled". So, now I need to allow a specific user (admin, for example) to logon to this computer without smartcard. How can I do this?
  Note, that I need to allow only one user to logon without smartcard and other users must use their smartcards (but strongly they must use smartcards only for this application server - so, they should be able to logon to other domain computers without smartcard).
  How can I reach this goal?

  > Require smart card" to "enabled". So, now I need to allow a specific
  > user (admin, for example) to logon to this computer without smartcard.
  > How can I do this?
  To be honest: You cannot. Your setting is a computer setting and has no
  exception possibilities for a subset of users. The other solution (AD
  account properties of users) have no exception possibilities, too.
  To me, it seems this user needs 2 accounts... One with "smartcard
  required" to logon to all other computers and a second one that can only
  logon to this computer (user rights: "allow logon locally").
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))