For some of our users in AD, we have set userWorkstations attribute to restrict access to other machines. But this is preventing those users from logging into WebApplications (around 50+) protected by Access Manager(in our case OpenAM).
One way to resolve this issue is to Add the AD-DC name in the list of allowed work stations for that user. But I am not sure about the security implications as a result of this change.
Is there a better way to approach this ?
If you add a domain controller in the list of Logon Workstations for a user account, you are saying that the specific account is not restricted, from the account level, from logging onto that DC. However, this does not bypass other security such as Allow logon locally or Allow log on through Remote Desktop Services. So, for example, if user jsmith's account has dc1 in Logon Workstations, this doesn't automatically mean that jsmith really can log onto dc1. It just means that the settings on the account does not prevent it.
One drawback of this scenario is that it is confusing: If an administrator looks at jsmith's list of Logon Workstations and sees a domain controller, he or she may wonder why this attribute is set on this account (particularly if the account is not noticeable as some kind of administrative account). Good system documentation can mitigate this confusion.
