Thursday, September 30, 2010

"Log On To" Why Doesn't Anybody Use It?

I decided to write an article on the "Log On To" feature in Microsoft's Active Directory because I have yet to find others that use this feature. I am not saying you aren't out there, but I think this is a much overlooked feature. We use this feature along with "Limit Login" (see this post) to restrict the computers our users can log in to and limit simultaneous sessions.

The Log On To feature can be found by going to the properties of the user object and selecting the "Account" tab. There is a button on that tab that says "Log On To...". You can use this button to open a dialog that allows you to specify all of the computers a user is allowed to (Have you guessed yet?) log on to.

Why is this important?

Well, why not? If there are users that only log into one computer every single day, why allow them to log into every single machine on the network.

What does it block (By Design)?

The "Log On To" feature stops the user from logging on the the console of a computer (whether sitting at the machine or through remote control software (Remote Desktop/RDP, PC Anywhere, VNC, etc.)).

What does it block (Undesired results)?

So, the feature is not without problems. If you are using any type of LDAP authentication, you will have to add your LDAP servers to the list of allowed computers. You will also have to add the server that hosts Outlook Web Access if you use Exchange for your mail server. Other stuff that you may have issues with are Radius servers and websites with Integrated Authentication.

What doesn't it block?

You can still use file/printer sharing on servers that are not on the list so you do not need to add your File/Print servers to the list. You do not need to add your Domain Controllers either unless you are using them for LDAP.

No comments:

Post a Comment