Link to home
Start Free TrialLog in
Avatar of windows-it

asked on

Active Directory User Object "Log On To..." settings

Hi @ all,
In the Active Directory User Object under the tab "Account" there is a setting called "Log On To...". How does this work technically exactly? I need to understand the whole technical process how this works but can't find anything in the internet.

Thanks a lot for your help.

Avatar of Mal Osborne
Mal Osborne
Flag of Australia image

This is something that is not often used.

It allows an account to be restricted in terms of which machines a user can log into. Some environments only let users log into their own machines, or just certain terminal servers for example.

If you fill in some machine names, then users will be unable to log locally onto machines not on your list.
Avatar of windows-it


I understand that normally you define the "allow logon locally" in the user rights assignement. This just restricts if a user can logon physically at the machine. If I use the settings in the ad object (variable defined here a bit more than just "logon locally" will be blocked somehow. Therefor I need to know the whole process...
Avatar of Mohammed Khawaja
Mohammed Khawaja
Flag of Canada image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
No, it's not that simple any more. Starting with win8/server 2012, rdp is also part of that game.

If you specify "machine A", then the user
-can logon to A
-can start an rdp connection from A
-can map a network drive from A

Example: if you would like to use some user "X" to map a network drive or start an rdp connection from machine A AND you are not logged on as X, but as Y, you will only be able to use X for that if X may logon to machine A. That is true for win8.x/10, not true for win7 and before.