1

Lately I've noticed that most of the child domain user accounts in the forest, at the place I work, having domain controllers in list of userWorkstations.

I can't really think of why it has been done. Well maybe RemoteApp or it's a security concern or credential pass for SSO application? Could anyone please explain me why could this been done.

https://msdn.microsoft.com/en-us/library/ms680868(v=vs.85).aspx

User-Workstations attribute Contains the NetBIOS or DNS names of the computers running Windows NT Workstation or Windows 2000 Professional from which the user can log on. Each NetBIOS name is separated by a comma. Multiple names should be separated by commas.

Kirill Pashkov
  • 163
  • 2
  • 9

2 Answers2

1

That attribute is populated when you populate the "Logon To" in the properties of the user account. Why that was done in your environment is a question for the person who did it.

enter image description here

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Yeah I know that, I just really can't find a fitting reason why it has been done, a guy from work claims it works to authenticate via some system where there is a tons of them(over 100). Thanks anyway. – Kirill Pashkov Sep 02 '16 at 06:42
  • OK, I'm not sure why you'd think that we would know why it was done. – joeqwerty Sep 02 '16 at 13:47
0

late answer but it might help. please check this: https://discourse.igniterealtime.org/t/openfire-3-7-1-ldap-authentication-failed/57663/4 in this case if you add name of DC to this option - the it allow to logon to openfire under domain account which has already configured User-Workstations attribute. without adding DC name if wont work.

and for example this:

https://security.stackexchange.com/questions/101658/userworkstations-attribute-in-ad-preventing-users-from-logging-into-webapp

Trav Erse
  • 1
  • 1