Avatar of windows-it
windows-it
 asked on

Active Directory User Object "Log On To..." settings

Hi @ all,
In the Active Directory User Object under the tab "Account" there is a setting called "Log On To...". How does this work technically exactly? I need to understand the whole technical process how this works but can't find anything in the internet.

Thanks a lot for your help.

Regards
Active DirectoryOS SecurityWindows Server 2012

Avatar of undefined
Last Comment
McKnife

8/22/2022 - Mon
Mal Osborne

This is something that is not often used.

It allows an account to be restricted in terms of which machines a user can log into. Some environments only let users log into their own machines, or just certain terminal servers for example.

If you fill in some machine names, then users will be unable to log locally onto machines not on your list.
windows-it

ASKER
I understand that normally you define the "allow logon locally" in the user rights assignement. This just restricts if a user can logon physically at the machine. If I use the settings in the ad object (variable defined here https://msdn.microsoft.com/en-us/library/ms680868%28v=vs.85%29.aspx) a bit more than just "logon locally" will be blocked somehow. Therefor I need to know the whole process...
ASKER CERTIFIED SOLUTION
Mohammed Khawaja

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
McKnife

No, it's not that simple any more. Starting with win8/server 2012, rdp is also part of that game.


If you specify "machine A", then the user
-can logon to A
-can start an rdp connection from A
-can map a network drive from A

Example: if you would like to use some user "X" to map a network drive or start an rdp connection from machine A AND you are not logged on as X, but as Y, you will only be able to use X for that if X may logon to machine A. That is true for win8.x/10, not true for win7 and before.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck