SecureAuth IdP Version affected: All
On SecureAuth appliances which are configured for Desktop SSO (Windows Authentication), each user who changes their password will have a profile created on the appliance.
This is a side effect of the Windows API used to enable SSO functionality on the appliance.
To resolve this issue a Local Group Policy must be modified on the SecureAuth appliance to restrict local logon privileges to administrative users only.
On the taskbar, click Start, point to Run, type mmc, and then click OK.
- Click Start, and then click Run.
- In the Open box, type Gpedit.msc, and then click OK.
- Navigate to Computer Configuration -> Windows Setting -> Security Settings -> Local Policies -> User Rights Assignment.
- Double-click the "Allow log On locally" policy and in the resulting window remove the entries "Backup Operators" and "Users".
Disk space concerns
Once the "Allow log on locally policy" has been properly configured you can remove the extraneous user profiles from the appliance. Any user profile belonging to an administrator, SecureAuth0 or any other SecureAuth service account should not be deleted.