Enforce user logon restrictions (Windows)

Module: Active Directory

Supported Platforms: Windows 2000, Windows 2003, Windows 2008

This check reports a problem if this Kerberos Policy setting is not enabled. This check is intended to run only on domain controllers to produce results for specific domains.

The following table lists the error message for the check.

Table: Error message for Enforce user logon restrictions

Message String ID and Category	Platform and Message Numeric ID	Message Title and Description	Additional Information
String ID: ESM_LOG_RESTRICT_DISABLED Category: Policy Compliance	Windows 2000 (108136) Windows 2003 (208136) Windows 2008 (251136)	Title: User logon restrictions not enforced Description:When user logon restrictions are not enforced, session tickets for services that users do not have the right to use may be granted to them. It is recommended that the Kerberos Policy value for "Enforce user logon restrictions" be set to "Enabled".	Severity: yellow-2 Correctable: false Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: ESM_LOG_RESTRICT_DISABLED

Category: Policy Compliance

Windows 2000 (108136)
Windows 2003 (208136)
Windows 2008 (251136)

Title: User logon restrictions not enforced

Description:When user logon restrictions are not enforced, session tickets for services that users do not have the right to use may be granted to them. It is recommended that the Kerberos Policy value for "Enforce user logon restrictions" be set to "Enabled".

Severity: yellow-2

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]