Skip to main content

Appliances configured for SSO have user profiles for authenticated users

Symptom

On SecureAuth appliances which are configured for SSO each user who changes their password will have a profile created on the appliance.

Cause

This is a side effect of the Windows API used to enable SSO functionality on the appliance.

Resolution

To resolve this issue a Local Group Policy must be modified on the SecureAuth appliance to restrict local logon privileges to administrative users only.

On the taskbar, click Start, point to Run, type mmc, and then click OK.

  1. Click Start, and then click Run.

  2. In the Open box, type Gpedit.msc, and then click OK.

  3. Navigate to Computer Configuration -> Windows Setting -> Security Settings -> Local Policies -> User Rights Assignment.

  4. Double-click the "Allow log On locally" policy and in the resulting window remove the entries "Backup Operators" and "Users".

Note

Do not remove the administrative account from the "Allow Log on locally" policy or you could become locked out of the appliance!

Disk space concerns

Once the "Allow log on locally policy" has been properly configured you can remove the extraneous user profiles from the appliance. Any user profile belonging to an administrator, SecureAuth0 or any other SecureAuth service account should not be deleted.