WinSecWiki > Security Settings > Account Policies > Kerberos Policy > Logon Restrictions

Enforce User Logon Restrictions

Microsoft documentation is conflicting on this and I confess that I have not scheduled time to research the truth with some experiments. Microsoft documentation claims that this policy makes the domain controller verify the user has the appropriate logon right to the server or workstation for which the user is requesting a ticket but that doesn't make sense for at least 2 reasons:

  • logon rights are stored and enforced at the local computer level and I don't believe the domain controller queries the local computer for current rights assignments while processing ticket requests
  • it would be redundant for domain controllers to check logon rights since the computer for which the client is requesting a ticket enforces the logon rights anyway when the user presents the ticket

It seems much more reasonable that this policy makes the DC check the AD user's account policies such as logon hours and workstation restrictions and some Microsoft documentation confirms this.

Back to top


Additional Resources