Enforce user logon restrictions
Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy
Determines whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. Validation of each request for a session ticket is optional, because the extra step takes time and it may slow network access to services.
When this policy is enabled, the user who requests the session ticket must have the right to Log on locally (if the requested service is running on the same computer) or the right to Access this computer from the network (if the requested service is on a remote computer) to receive a session ticket. If this policy is disabled, the check is not performed.
For more information, see: