"The system administrator has limited the computers you can log on with" despite workstation name existing in "Log On To Workstations" list for the particular user

Posted by jake04-20@reddit | sysadmin | View on Reddit | 16 comments

In our AD environment we've always gone into each individual user and added the workstation they will be using under "Log On To..." under the "Account" tab in AD UC. This seems to work fine for end users being able to log into their workstations, but we've noticed some inconsistent behavior when granting log on using that method for vendors. We will get the message "The system administrator has limited the computers you can log on with" despite the workstation being listed in "Log On To..." list. Has anyone else encountered this? Is there somewhere I can view logs to get a better idea of why this is happening? I've checked Event viewer but it doesn't seem to log the log on attempt. Toggling it to "all computers" results in the log on working instantly. We've also had instances where the user account was set up and working using the "Log On To..." list, but then the account goes unused for some time. When the vendor goes back to use the account again, we're presented with the same issue.

Reply to Post

16 Comments

[-]

RCTID1975@reddit

> In our AD environment we've always gone into each individual user and added the workstation they will be using under "Log On To..." under the "Account" tab in AD UC. My first question here is....why? Why are you doing this? What problem are you trying to solve? Most people don't do this because there's no need

[-]

jake04-20@reddit (OP)

Sorry for duplicate comment but sometimes people don't catch edits. We also implemented it because some people would fat finger their computer name into RDP and sign in, creating a profile and confusing the actual user that should be using said computer.

[-]

RCTID1975@reddit

I see. Sounds like your previous folks created technical "solutions" to a people problem. Unfortunately, it's saddled you with overhead management debt with no real benefits.

[-]

jake04-20@reddit (OP)

That's a fair assessment, I will admit that. However it does actually work as intended quite well. I'm trying to picture the alternative approach to this. Manually adding remote desktop groups to PCs? Security filtering GPOs very granularly? There is always user training which is just about the last option I'd voluntarily take on lol. I suppose we could leave it in place for users and just ignore the need for it with vendors since they don't have any GPOs that would grant them access in a similar way to what we have set up for employees.

[-]

RCTID1975@reddit

Let's back up here and let me ask this again: What problem are you trying to solve?

[-]

jake04-20@reddit (OP)

I'm trying to understand why I get an error message when trying to to RDP to a particular server when the server hostname exists in the "log on to" workstation list. Toggling to all computers fixes the problem immediately. Behavior is seemingly random. I can try a different server from the same OU without issues for example.

[-]

RCTID1975@reddit

Sorry, maybe I wasn't clear. What problem are you trying to solve by setting the "log onto" option?

[-]

jake04-20@reddit (OP)

Copying from another comment on this post: [The users are a] part of a security group that is granted remote desktop access to computers in their respective department/OU via GPO. It confuses other users because many of our users don't even pay attention to their username at all and just type their password into the only text prompt that shows up on the login screen. After they've logged into a machine once, they don't have to ever enter a user name again unless they are changing it to log in as someone else. If someone else logs into their machine, that username changes and they don't even notice. So they spam their password into the prompt assuming they're fat fingering it every time when really they're trying to log into an account that isn't theirs. Then they get locked out per policy and put in a ticket. Essentially we grant RDP access department wide for users by adding a department specific security group to the remote desktop users group of all PCs in an OU, however we still want to control what workstations those users can log into. Imagine this: we have a security group called "Engineering RDP" and we put all engineers in that group. Then create a GPO to add the "Engineering RDP" security group to the local remote desktop users group. Log On to workstation list allowed us to just put their appropriate computer hostname in the list and have a little more granular control.

[-]

RCTID1975@reddit

copying from my other comment to you: Sounds like your previous folks created technical "solutions" to a people problem. Unfortunately, it's saddled you with overhead management debt with no real benefits. You can choose to keep dealing with this (that's never really worked well IMO), or fix your bad policies that never should've been in place to begin with. The overhead that this is causing is far greater than the occasional person logging into the wrong RDP session.

[-]

jake04-20@reddit (OP)

Out of genuine curiosity, what would you do instead to accomplish the same thing? Manually adding the user to their local remote desktop user group is not a valid answer.

[-]

RCTID1975@reddit

> what would you do instead to accomplish the same thing? Nothing, because I have zero need to restrict who logs into what computer. In fact, that goes against a lot of the principles of a directory service and centralized authentication. > Manually adding the user to their local remote desktop user group on their computer is not a valid answer. I'm confused. What does that have to do with your "log onto" issue?

[-]

jake04-20@reddit (OP)

>I have zero need to restrict who logs into what computer. That's a rather bizarre statement for someone in IT. But, good for you I guess? It causes us headaches and unless your users are free to use whatever workstation they feel like (?), I don't see why you wouldn't lock it down. We're going to continue to restrict who can log on to certain workstations. This isn't a computer lab in a school, users are assigned workstations. You know you could have saved us both the time and said you don't know the answer to the question, or just not comment at all? Seems like you just came here to argue or impose your superior opinion. >I'm confused. What does that have to do with your "log onto" issue? I'm confused, how do any of your comments address my original question?

[-]

RCTID1975@reddit

> unless your users are free to use whatever workstation they feel like (?), I don't see why you wouldn't lock it down Yes, that's correct. And that's normal. There's typically no need to lock a device to a user. > You know you could have saved us both the time and said you don't know the answer to the question, or just not comment at all? Seems like you just came here to argue or impose your superior opinion. It's not at all a superior opinion. It's a common configuration. part of the point of this community should be to force people to think differently about their environments and situations rather than just doing something "because that's the way we've always done it". Especially when that configuration is out of the norm and causing problems. > What was the purpose of you stopping by? Well, I thought (mistakenly I guess) that you were looking for help here and wouldn't get offended when someone asked why you were doing something. Anyway, Good luck

[-]

rthonpm@reddit

Unless your logins are generic, how are they confusing the user of the machine? You have a bigger issue to fix instead of trying to bandage it with group policy. First case in point if your users can RDP to any machine are they also administrators on every system?

[-]

jake04-20@reddit (OP)

No, they're part of a security group that is granted remote desktop access to computers in their respective department/OU. It confuses other users because many of our users don't even pay attention to their username at all and just type their password into the only text prompt that shows up on the login screen. After they've logged into a machine once, they don't have to ever enter a user name again. If someone else logs into their machine, that username changes and they don't even notice. So they spam their password into the prompt assuming they're fat fingering it every time when really they're trying to log into an account that isn't theirs. Then they get locked out per policy and put in a ticket. Look -- tbh if you don't know the answer to the question you can just say that and move along. I'm not really looking to get into a discussion or justify the way we're doing things. Unless there is an inherent security risk to the way we're doing it, the mgmt overhead of managing Log On To workstations is negligible and therefore I'm not too bothered to change it. I'm more or less curious about the inconsistent behavior.

[-]

jake04-20@reddit (OP)

Understood. It's a fair question, and tbh I don't have a great answer. When I started here long ago, that's how the previous tech director did it and I never took the time to sit back and ask why. It was easy enough for us to manage and it has the optics of adding another layer of security that I understand some/most will argue isn't necessary. When I hit this wall I usually just toggle it over to all computers and don't give it much thought beyond that. The problem solver within me is still bothered that it doesn't work consistently and I can't figure out why. I guess there is a minor element in the back of my head that thinks this somehow covers us in the event of bad permission config elsewhere, however unlikely that may be (I've checked it thoroughly, but I accept the possibility that I could have missed/overlooked something).