Enforce user logon restrictions (Windows)

Module: Active Directory

Supported Platforms: Windows 2000, Windows 2003, Windows 2008

This check reports a problem if this Kerberos Policy setting is not enabled. This check is intended to run only on domain controllers to produce results for specific domains.

The following table lists the error message for the check.

Table: Error message for Enforce user logon restrictions

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information


Category: Policy Compliance

  • Windows 2000 (108136)

  • Windows 2003 (208136)

  • Windows 2008 (251136)

Title: User logon restrictions not enforced

Description:When user logon restrictions are not enforced, session tickets for services that users do not have the right to use may be granted to them. It is recommended that the Kerberos Policy value for "Enforce user logon restrictions" be set to "Enabled".

Severity: yellow-2

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]