Knowledge Base

Support Policies

Windows User-profiles created on SecureAuth Server - Authenticated Desktop SSO (Windows Authentication) Users

SecureAuth IdP Version affected: All

 

Description:
On SecureAuth appliances which are configured for Desktop SSO (Windows Authentication), each user who changes their password will have a profile created on the appliance.

Cause:
This is a side effect of the Windows API used to enable SSO functionality on the appliance.

Resolution:

To resolve this issue a Local Group Policy must be modified on the SecureAuth appliance to restrict local logon privileges to administrative users only.

On the taskbar, click Start, point to Run, type mmc, and then click OK.

  1. Click Start, and then click Run.

  2. In the Open box, type Gpedit.msc, and then click OK.

  3. Navigate to Computer Configuration -> Windows Setting -> Security Settings -> Local Policies -> User Rights Assignment.

  4. Double-click the "Allow log On locally" policy and in the resulting window remove the entries "Backup Operators" and "Users". 

NOTE: Do not remove the administrative account from the "Allow Log on locally" policy or you could become locked out of the appliance!  

 

Disk space concerns

Once the "Allow log on locally policy" has been properly configured you can remove the extraneous user profiles from the appliance. Any user profile belonging to an administrator, SecureAuth0 or any other SecureAuth service account should not be deleted.

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.