Active Directory User Object "Log On To..." settings

Hi @ all,
In the Active Directory User Object under the tab "Account" there is a setting called "Log On To...". How does this work technically exactly? I need to understand the whole technical process how this works but can't find anything in the internet.

Thanks a lot for your help.

Regards
windows-itAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mal OsborneAlpha GeekCommented:
This is something that is not often used.

It allows an account to be restricted in terms of which machines a user can log into. Some environments only let users log into their own machines, or just certain terminal servers for example.

If you fill in some machine names, then users will be unable to log locally onto machines not on your list.
windows-itAuthor Commented:
I understand that normally you define the "allow logon locally" in the user rights assignement. This just restricts if a user can logon physically at the machine. If I use the settings in the ad object (variable defined here https://msdn.microsoft.com/en-us/library/ms680868%28v=vs.85%29.aspx) a bit more than just "logon locally" will be blocked somehow. Therefor I need to know the whole process...
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Process is very simple.  If the option is not set then the user can login to any computer, however, if the option is set and when the user tries to login, AD responds back with login failure since the PC name is different.  As part of the authentication package, computer name and user credentials are sent.  Based on this, DC either successfully authenticated or tells the local PC to deny login.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
No, it's not that simple any more. Starting with win8/server 2012, rdp is also part of that game.


If you specify "machine A", then the user
-can logon to A
-can start an rdp connection from A
-can map a network drive from A

Example: if you would like to use some user "X" to map a network drive or start an rdp connection from machine A AND you are not logged on as X, but as Y, you will only be able to use X for that if X may logon to machine A. That is true for win8.x/10, not true for win7 and before.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.