troubleshooting Question

understanding the allow logon locally URA

Avatar of Pau Lo
Pau Lo asked on
Windows OSOS SecurityWindows 10AzureWindows Server 2016
9 Comments2 Solutions21 ViewsLast Modified:
I am trying to understand the basics of the “allow logon locally” user rights assignment, in the context of a windows server 2016 domain controller. I also notice there is an “allow logon through remote desktop services” user rights assignment. I was reading this article:
https://adsecurity.org/?p=2362

Which states "This means that if an attacker can compromise an account in Account Operators or Print Operators, the Active Directory domain may be compromised since these groups have logon rights to Domain Controllers."

But the logon rights I can see, appear to be  "allow logon locally", and not "allow logon through remote desktop services".

Therefore, from a W10 device joined to the same domain as the domain controller server, what apps/tools on a standard W10 device could a user use to “logon locally” to the server, assuming they are in the correct group and have the correct user rights assigned? There is obviously mstsc.exe which they would use for remote desktop connection GUI access, but can you use that tool to also "logon locally"? Or would you need to be assigned both user rights assignments in order to do so ("allow logon locally", AND "allow logon through RDS"? If mstsc.exe doesn’t support “allow logon locally” sessions, are there any other tools they could use from a W10 device to achieve a local logon?

If you cannot use mstsc.exe to make use of the "allow logon locally" security assignment, how would a user make use of that right to "logon locally"? Be that via a GUI or map network drive type access to the content of local drives on the server. I'm not convinced it is as risky as the article suggests, as for example the users group (domain users) has "allow logon locally" on all servers so if it was that easy all data on all member servers would be at risk, but does not have the "allow logon through remote desktop services" assignment which seems to be the mitigating factor.
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 2 Answers and 9 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 9 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros