"Log on Locally" User Right

[Guest JayDee]

My question is: "what -exactly- is the "log on locally" user right?

Here's some background...

 

We recently updated a policy to lock down the "Log on Locally" user

right for our servers to include only "Administrators" and "Domain

Admins" - The user right was currently not defined. Our thought was

that this would lock the environment down so that only administrators

could log onto servers at the console.

 

The first problem we ran into was with the Citrix servers. Apparently,

"Log on Locally" is required for clients to connect to citrix servers.

This surprised me, since I thought a client session would be

considered a terminal services session of sort (there is a different

user right for terminal services connections), but apparently that is

not the case.

 

Then, we began having a problems with a couple other applications. One

was web-based where, after this change was implemented, the client

would constantly get prompted for a username and password, even if

they entered their password correctly. Another application which

required communication between servers also failed with this change.

 

As a result of these problems, and in fear that more would occur, we

reversed the change so that now "Authenticated Users" is part of this

"user right"

 

So, can someone shed some light on this mysterious user right for me?

Apparently, it's not as straightforward as I thought.

 

Thanks

 

- jd

[Guest Steve B]

RE: "Log on Locally" User Right

 

Hi,

 

Always quite tricky to explain this one. In Windows 2000, there was only a

single user right for interactive logon - namely Allow Log on Locally. In

effect, this is the way Terminal Services / Citrix enviornments work - your

seeing the Windows desktop as if you were interactively logged on.

 

In Windows 2003, Microsoft changed the user rights to distinguish between

people logging in interactively and via terminal services. Hence, we now

have two rights - Allow Log On Locally and Allow Logon on through Terminal

Services.

 

Microsoft updated the RDP protocol (i.e Terminal Services) to use the Allow

Log on through Terminal Services. Unfortuantely, Im not a Citrix expert but

my understanding is that the ICA protocol (i.e. Citrix) is still set to use

the old right - Allow Log on Locally. I'm not sure whether Citrix will update

the ICA protocol to use the new right. Could be worth posting to a Citrix web

site or try http://www.brainmadden.com/default.aspx.

 

With regard to IIS this is more tricky. Take a look at article:

 

http://support.microsoft.com/kb/264921

 

Basically, if IIS uses Anonymouse or Basic Authentication methods then the

right Allow Logon Locally is required. If IIS is set to Windows NT

Challenge/Response then this right is not required but the right to Access

this computer from the network is.

 

Thus, you tend to find that you use OU's to group computers together - e.g.

Terminal Servers, Web Servers etc etc. You then apply a GPO to each OU. In

turn, within the GPO, you then set the appropriate rights. This way, you are

not opening up security too much.

 

 

Steve

 

 

 

 

 

 

"JayDee" wrote:

> My question is: "what -exactly- is the "log on locally" user right?

> Here's some background...

>

> We recently updated a policy to lock down the "Log on Locally" user

> right for our servers to include only "Administrators" and "Domain

> Admins" - The user right was currently not defined. Our thought was

> that this would lock the environment down so that only administrators

> could log onto servers at the console.

>

> The first problem we ran into was with the Citrix servers. Apparently,

> "Log on Locally" is required for clients to connect to citrix servers.

> This surprised me, since I thought a client session would be

> considered a terminal services session of sort (there is a different

> user right for terminal services connections), but apparently that is

> not the case.

>

> Then, we began having a problems with a couple other applications. One

> was web-based where, after this change was implemented, the client

> would constantly get prompted for a username and password, even if

> they entered their password correctly. Another application which

> required communication between servers also failed with this change.

>

> As a result of these problems, and in fear that more would occur, we

> reversed the change so that now "Authenticated Users" is part of this

> "user right"

>

> So, can someone shed some light on this mysterious user right for me?

> Apparently, it's not as straightforward as I thought.

>

> Thanks

>

> - jd

>

>

[Guest Jorge Silva]

Re: "Log on Locally" User Right

 

Hi

Check if it helps

http://tech.xptechsupport.com/citrix-server-error-messages.html

http://support.microsoft.com/default.aspx?scid=kb;en-us;815266

 

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"JayDee" <dopamine@mail.com> wrote in message

news:1187347224.341431.185000@i13g2000prf.googlegroups.com...

> My question is: "what -exactly- is the "log on locally" user right?

> Here's some background...

>

> We recently updated a policy to lock down the "Log on Locally" user

> right for our servers to include only "Administrators" and "Domain

> Admins" - The user right was currently not defined. Our thought was

> that this would lock the environment down so that only administrators

> could log onto servers at the console.

>

> The first problem we ran into was with the Citrix servers. Apparently,

> "Log on Locally" is required for clients to connect to citrix servers.

> This surprised me, since I thought a client session would be

> considered a terminal services session of sort (there is a different

> user right for terminal services connections), but apparently that is

> not the case.

>

> Then, we began having a problems with a couple other applications. One

> was web-based where, after this change was implemented, the client

> would constantly get prompted for a username and password, even if

> they entered their password correctly. Another application which

> required communication between servers also failed with this change.

>

> As a result of these problems, and in fear that more would occur, we

> reversed the change so that now "Authenticated Users" is part of this

> "user right"

>

> So, can someone shed some light on this mysterious user right for me?

> Apparently, it's not as straightforward as I thought.

>

> Thanks

>

> - jd

>