Problem:
Inability to log into ProfileUnity console in more secure environments
Symptoms:
We run the ProfileUnity console service as system level service from there we do administrative impersonation of the account logging in to access resources.
The potential problem comes in when we go to do impersonation it requires “the Allow log on locally user right”.
If this right is removed from accounts on the ProfileUnity server users won't be able to login to the ProfileUnity console.
Possible Resolution:
The ProfileUnity console Service account needs “the Allow log on locally user right” and so does the user logging in. In some environments you can add the accounts to the local administrators group to get the “Allow log on locally user right” back for both.
You can also do this either via a Domain GPO or local GPO on the ProfileUnity console.
Currently this is the suggested workaround either via GPO modification or addition of the accounts to the local admins group.
In addition if you are using ProfileUnity as a Service or have enabled CAC authentication on the ProfileUnity console those accounts need the right to logon locally.
This will be addressed in a future release of ProfileUnity.
Additional Resources:
https://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/dn221980(v=ws.11).aspx
Product: ProfileUnity
Product Version: 6.5.x