WinSecWiki > Security Settings > Account Policies > Kerberos Policy > Logon Restrictions

Enforce User Logon Restrictions

Microsoft documentation is conflicting on this and I confess that I have not scheduled time to research the truth with some experiments. Microsoft documentation claims that this policy makes the domain controller verify the user has the appropriate logon right to the server or workstation for which the user is requesting a ticket but that doesn't make sense for at least 2 reasons:

logon rights are stored and enforced at the local computer level and I don't believe the domain controller queries the local computer for current rights assignments while processing ticket requests
it would be redundant for domain controllers to check logon rights since the computer for which the client is requesting a ticket enforces the logon rights anyway when the user presents the ticket

It seems much more reasonable that this policy makes the DC check the AD user's account policies such as logon hours and workstation restrictions and some Microsoft documentation confirms this.

Upcoming Webinars

Additional Resources

Kerberos Policy

•	Logon Restrictions
•	Service Ticket
•	User Ticket
•	Ticket Renewal
•	Clock Sync

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.