"Log on Locally" User Right

  • Thread starter Thread starter JayDee
  • Start date Start date
J

JayDee

My question is: "what -exactly- is the "log on locally" user right?
Here's some background...

We recently updated a policy to lock down the "Log on Locally" user
right for our servers to include only "Administrators" and "Domain
Admins" - The user right was currently not defined. Our thought was
that this would lock the environment down so that only administrators
could log onto servers at the console.

The first problem we ran into was with the Citrix servers. Apparently,
"Log on Locally" is required for clients to connect to citrix servers.
This surprised me, since I thought a client session would be
considered a terminal services session of sort (there is a different
user right for terminal services connections), but apparently that is
not the case.

Then, we began having a problems with a couple other applications. One
was web-based where, after this change was implemented, the client
would constantly get prompted for a username and password, even if
they entered their password correctly. Another application which
required communication between servers also failed with this change.

As a result of these problems, and in fear that more would occur, we
reversed the change so that now "Authenticated Users" is part of this
"user right"

So, can someone shed some light on this mysterious user right for me?
Apparently, it's not as straightforward as I thought.

Thanks

- jd
 
Hi,

Always quite tricky to explain this one. In Windows 2000, there was only a
single user right for interactive logon - namely Allow Log on Locally. In
effect, this is the way Terminal Services / Citrix enviornments work - your
seeing the Windows desktop as if you were interactively logged on.

In Windows 2003, Microsoft changed the user rights to distinguish between
people logging in interactively and via terminal services. Hence, we now
have two rights - Allow Log On Locally and Allow Logon on through Terminal
Services.

Microsoft updated the RDP protocol (i.e Terminal Services) to use the Allow
Log on through Terminal Services. Unfortuantely, Im not a Citrix expert but
my understanding is that the ICA protocol (i.e. Citrix) is still set to use
the old right - Allow Log on Locally. I'm not sure whether Citrix will update
the ICA protocol to use the new right. Could be worth posting to a Citrix web
site or try http://www.brainmadden.com/default.aspx.

With regard to IIS this is more tricky. Take a look at article:

http://support.microsoft.com/kb/264921

Basically, if IIS uses Anonymouse or Basic Authentication methods then the
right Allow Logon Locally is required. If IIS is set to Windows NT
Challenge/Response then this right is not required but the right to Access
this computer from the network is.

Thus, you tend to find that you use OU's to group computers together - e.g.
Terminal Servers, Web Servers etc etc. You then apply a GPO to each OU. In
turn, within the GPO, you then set the appropriate rights. This way, you are
not opening up security too much.


Steve






"JayDee" wrote:

> My question is: "what -exactly- is the "log on locally" user right?
> Here's some background...
>
> We recently updated a policy to lock down the "Log on Locally" user
> right for our servers to include only "Administrators" and "Domain
> Admins" - The user right was currently not defined. Our thought was
> that this would lock the environment down so that only administrators
> could log onto servers at the console.
>
> The first problem we ran into was with the Citrix servers. Apparently,
> "Log on Locally" is required for clients to connect to citrix servers.
> This surprised me, since I thought a client session would be
> considered a terminal services session of sort (there is a different
> user right for terminal services connections), but apparently that is
> not the case.
>
> Then, we began having a problems with a couple other applications. One
> was web-based where, after this change was implemented, the client
> would constantly get prompted for a username and password, even if
> they entered their password correctly. Another application which
> required communication between servers also failed with this change.
>
> As a result of these problems, and in fear that more would occur, we
> reversed the change so that now "Authenticated Users" is part of this
> "user right"
>
> So, can someone shed some light on this mysterious user right for me?
> Apparently, it's not as straightforward as I thought.
>
> Thanks
>
> - jd
>
>
 
Hi
Check if it helps
http://tech.xptechsupport.com/citrix-server-error-messages.html
http://support.microsoft.com/default.aspx?scid=kb;en-us;815266


--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
"JayDee" <dopamine@mail.com> wrote in message
news:1187347224.341431.185000@i13g2000prf.googlegroups.com...
> My question is: "what -exactly- is the "log on locally" user right?
> Here's some background...
>
> We recently updated a policy to lock down the "Log on Locally" user
> right for our servers to include only "Administrators" and "Domain
> Admins" - The user right was currently not defined. Our thought was
> that this would lock the environment down so that only administrators
> could log onto servers at the console.
>
> The first problem we ran into was with the Citrix servers. Apparently,
> "Log on Locally" is required for clients to connect to citrix servers.
> This surprised me, since I thought a client session would be
> considered a terminal services session of sort (there is a different
> user right for terminal services connections), but apparently that is
> not the case.
>
> Then, we began having a problems with a couple other applications. One
> was web-based where, after this change was implemented, the client
> would constantly get prompted for a username and password, even if
> they entered their password correctly. Another application which
> required communication between servers also failed with this change.
>
> As a result of these problems, and in fear that more would occur, we
> reversed the change so that now "Authenticated Users" is part of this
> "user right"
>
> So, can someone shed some light on this mysterious user right for me?
> Apparently, it's not as straightforward as I thought.
>
> Thanks
>
> - jd
>
 
Back
Top