Windows User-profiles created on SecureAuth Server - Authenticated Desktop SSO (Windows Authentication) Users

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth IdP Version affected: All


    On SecureAuth appliances which are configured for Desktop SSO (Windows Authentication), each user who changes their password will have a profile created on the appliance.

    This is a side effect of the Windows API used to enable SSO functionality on the appliance.


    To resolve this issue a Local Group Policy must be modified on the SecureAuth appliance to restrict local logon privileges to administrative users only.

    On the taskbar, click Start, point to Run, type mmc, and then click OK.

    1. Click Start, and then click Run.

    2. In the Open box, type Gpedit.msc, and then click OK.

    3. Navigate to Computer Configuration -> Windows Setting -> Security Settings -> Local Policies -> User Rights Assignment.

    4. Double-click the "Allow log On locally" policy and in the resulting window remove the entries "Backup Operators" and "Users". 

    NOTE: Do not remove the administrative account from the "Allow Log on locally" policy or you could become locked out of the appliance!  


    Disk space concerns

    Once the "Allow log on locally policy" has been properly configured you can remove the extraneous user profiles from the appliance. Any user profile belonging to an administrator, SecureAuth0 or any other SecureAuth service account should not be deleted.


    0 out of 0 found this helpful



    Please sign in to leave a comment.