Determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. Validation of each request for a session ticket is optional because the extra step takes time and may slow network access to services. By default, this setting is enabled in the Default Domain Group Policy object (GPO). When this policy is enabled, the user requesting the session ticket must have the right to Log on locally (if the requested service is running on the same machine) or the right to Access this computer from the network (if the requested service is on a remote machine) in order to receive a session ticket. If the policy is disabled, this check is not performed.

[enable/disable]

Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy\Enforce user logon restrictions