Windows Profiles on XA Server

Windows Profiles on XA Server

Problem

Windows profiles are showing up in C:\Users of XA Server for users that do not have permission to log into the server.

Solution

There are two potential causes for this behavior. One could be that EFS file encryption is turned on and another is a setting in secpol.msc on the XA server; “Impersonate a client after authentication.”

XA does not need user profiles on the server, it should not be a cause of their creation.

Cause 1 - file on the server is encrypted with EFS. Whenever that file gets accessed, Windows will create a user profile for them even though they are not logging into the server and may not even have permission to log into the server.

1. To locate any files on your server that are using this encryption method, run the command "cipher /u /n" from a command prompt.  This will return any encrypted files.
2. Remove EFS Encryption from any files returned using the search command.

Cause 2 - “Impersonate client after authentication” permission is granted to the user group the XA users belong to. Adding this permission is a frequent recommendation when setting up XA. User profiles on the server are an unintended side effect that can occur.

1. Open secpol.msc from a run box and navigate to Local Policies > User Rights Assignment.
2. Open the properties of “Impersonate a client after authentication” and remove access to the user group that standard users would be a member of. This could be “Domain Users,” “XAUsers,” etc.
   

Cause 3 - "Allow logon locally" includes "users" by default

In secpol.msc, check the "Allow log on locally" under Local Policies > User Rights Assignment

By default, the local group "users" is listed here and also by default, "domain users" was a member of the local users group.