J
JayDee
My question is: "what -exactly- is the "log on locally" user right?
Here's some background...
We recently updated a policy to lock down the "Log on Locally" user
right for our servers to include only "Administrators" and "Domain
Admins" - The user right was currently not defined. Our thought was
that this would lock the environment down so that only administrators
could log onto servers at the console.
The first problem we ran into was with the Citrix servers. Apparently,
"Log on Locally" is required for clients to connect to citrix servers.
This surprised me, since I thought a client session would be
considered a terminal services session of sort (there is a different
user right for terminal services connections), but apparently that is
not the case.
Then, we began having a problems with a couple other applications. One
was web-based where, after this change was implemented, the client
would constantly get prompted for a username and password, even if
they entered their password correctly. Another application which
required communication between servers also failed with this change.
As a result of these problems, and in fear that more would occur, we
reversed the change so that now "Authenticated Users" is part of this
"user right"
So, can someone shed some light on this mysterious user right for me?
Apparently, it's not as straightforward as I thought.
Thanks
- jd
Here's some background...
We recently updated a policy to lock down the "Log on Locally" user
right for our servers to include only "Administrators" and "Domain
Admins" - The user right was currently not defined. Our thought was
that this would lock the environment down so that only administrators
could log onto servers at the console.
The first problem we ran into was with the Citrix servers. Apparently,
"Log on Locally" is required for clients to connect to citrix servers.
This surprised me, since I thought a client session would be
considered a terminal services session of sort (there is a different
user right for terminal services connections), but apparently that is
not the case.
Then, we began having a problems with a couple other applications. One
was web-based where, after this change was implemented, the client
would constantly get prompted for a username and password, even if
they entered their password correctly. Another application which
required communication between servers also failed with this change.
As a result of these problems, and in fear that more would occur, we
reversed the change so that now "Authenticated Users" is part of this
"user right"
So, can someone shed some light on this mysterious user right for me?
Apparently, it's not as straightforward as I thought.
Thanks
- jd