Granting some users log on locally
I happen to administer a product from Microsoft called SQL Server Reporting Services.
One of the features of SSRS is that it allows users to store their credentials so that they can be used to execute the reports.
The problem is that in order to store the credentials, the credential must be granted "Log on locally" permission.
more details here
http://social.msdn.microsoft.com/Forums/en-US/sqlreportingservices/thread/198d2dd1-0faa-4514-b6e3-7ca5ea11c48a
Obviously this is a huge concern for me as an admin because now for all people who want to define a data source with stored credentials, they need to be granted "Log on locally" permission.
My questions is
1. If a user is granted log on locally permission. what can they do on the server?
a. can they remotely login
b. can they use powershell to do remoting
c. any other form of remote access?
b. any ability to program against the server
Also,
2. How can I minimize the effect of this permission? is it possible for me to grant this permission just so that the credential can be stored on the server but practically the user is not able to do anything with the server apart from the creation of data
source?
MSDNStudent Knows not much!
June 14th, 2012 4:22pm
Hi,
Grant a Member the Right to Logon Locally is to grant a user account the ability to log on locally.
For remote desktop, please refer the following policy setting:
Allow log on through Terminal Services
http://technet.microsoft.com/en-us/library/cc758613(v=WS.10).aspx
All Group Policy Settings for Remote Desktop Services in Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/ee791756(v=WS.10).aspx
Hope this helps!
Best Regards
Elytis Cheng Elytis Cheng
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2012 10:52pm
what about the ability to programmatically access some resources ... is that enhanced because of log on locally?MSDNStudent Knows not much!
June 15th, 2012 2:30am