I am trying to understand the basics of the “allow logon locally” user rights assignment, in the context of a windows server 2016 domain controller. I also notice there is an “allow logon through remote desktop services” user rights assignment. I was reading this article:https://adsecurity.org/?p=2362
Which states "This means that if an attacker can compromise an account in Account Operators or Print Operators, the Active Directory domain may be compromised since these groups have logon rights to Domain Controllers."
But the logon rights I can see, appear to be "allow logon locally", and not "allow logon through remote desktop services".
Therefore, from a W10 device joined to the same domain as the domain controller server, what apps/tools on a standard W10 device could a user use to “logon locally” to the server, assuming they are in the correct group and have the correct user rights assigned? There is obviously mstsc.exe which they would use for remote desktop connection GUI access, but can you use that tool to also "logon locally"? Or would you need to be assigned both user rights assignments in order to do so ("allow logon locally", AND "allow logon through RDS"? If mstsc.exe doesn’t support “allow logon locally” sessions, are there any other tools they could use from a W10 device to achieve a local logon?
If you cannot use mstsc.exe to make use of the "allow logon locally" security assignment, how would a user make use of that right to "logon locally"? Be that via a GUI or map network drive type access to the content of local drives on the server. I'm not convinced it is as risky as the article suggests, as for example the users group (domain users) has "allow logon locally" on all servers so if it was that easy all data on all member servers would be at risk, but does not have the "allow logon through remote desktop services" assignment which seems to be the mitigating factor.