NLA (Network Level Authentication)

Hi,

When a user has a some Log On To restrictions to limit the hosts he can log on to, the "client" computer must also be allowed. Because of NLA and because a  pre-authentication is done on the client side.

So far, so good.

But there one exception : Thin-clients.

Our DELL-Wyse have NLA enabled. They are never listed in the "Log On To".

Yet, opening a Remote Desktop by a user who has hosts restriction is possible. 

So, why connections form thin-clients are allowed ?

(On the hosts side, the GPO "Require user authentication for remote connections by using Network Level Authentication" is enabled. Logging from a Windows computer not part of the white list is not possible, as expected).