WinSecWiki
Windows Security Settings
Articles
WinSecWiki
»
Windows Security Settings
»
Account Policies
»
Kerberos
»
Enforce User Logon Restrictions
Enforce User Logon Restrictions
Enforce User Logon Restrictions
Microsoft documentation is conflicting on this and I confess that I have not scheduled time to research the truth with some experiments. Microsoft documentation claims that this policy makes the domain controller verify the user has the appropriate
logon right
to the server or workstation for which the user is requesting a ticket but that doesn't make sense for at least 2 reasons:
logon rights are stored and enforced at the local computer level and I don't believe the domain controller queries the local computer for current rights assignments while processing ticket requests
it would be redundant for domain controllers to check logon rights since the computer for which the client is requesting a ticket enforces the logon rights anyway when the user presents the ticket
It seems much more reasonable that this policy makes the DC check the AD user's account policies such as logon hours and workstation restrictions and some Microsoft documentation confirms this.
Bottom line
This policy is enabled by default and there's no reason to change it.
Add Your Comments
Name:
*
Email Address:
Web Address:
Verification Code:
*
Details
Article not rated yet.
Article has been viewed 2,181 times.
Options
Bookmark Article
Social Bookmarks
Comments RSS
Upcoming Webinars
Additional Resources
Security Log Quick Reference Chart
Security Log Resource Kit
Learn about the SharePoint Audit Log
Patch Tuesday Analysis
Workstation Configuration Management
Home
>
Windows
>
WinSecWiki
User name:
Password:
/
Forgot?
Register
Home