Active Directory User Object "Log On To..." settings

windows-it
windows-it used Ask the Experts™
on
Hi @ all,
In the Active Directory User Object under the tab "Account" there is a setting called "Log On To...". How does this work technically exactly? I need to understand the whole technical process how this works but can't find anything in the internet.

Thanks a lot for your help.

Regards
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
This is something that is not often used.

It allows an account to be restricted in terms of which machines a user can log into. Some environments only let users log into their own machines, or just certain terminal servers for example.

If you fill in some machine names, then users will be unable to log locally onto machines not on your list.

Author

Commented:
I understand that normally you define the "allow logon locally" in the user rights assignement. This just restricts if a user can logon physically at the machine. If I use the settings in the ad object (variable defined here https://msdn.microsoft.com/en-us/library/ms680868%28v=vs.85%29.aspx) a bit more than just "logon locally" will be blocked somehow. Therefor I need to know the whole process...
Manager - Infrastructure:  Information Technology
Commented:
Process is very simple.  If the option is not set then the user can login to any computer, however, if the option is set and when the user tries to login, AD responds back with login failure since the PC name is different.  As part of the authentication package, computer name and user credentials are sent.  Based on this, DC either successfully authenticated or tells the local PC to deny login.
Distinguished Expert 2018

Commented:
No, it's not that simple any more. Starting with win8/server 2012, rdp is also part of that game.


If you specify "machine A", then the user
-can logon to A
-can start an rdp connection from A
-can map a network drive from A

Example: if you would like to use some user "X" to map a network drive or start an rdp connection from machine A AND you are not logged on as X, but as Y, you will only be able to use X for that if X may logon to machine A. That is true for win8.x/10, not true for win7 and before.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial