user rights assignment deny log on locally

• About the Authors

How to Prevent/Allow Log on Locally via GPO?

Local security settings in Windows let you to allow or deny local (interactive) logon for users on computers. In this article, we’ll take a look on how to manage local logon permissions on Windows 10 and Windows Server 2019.

By default, Windows 10 and Windows Server 2019 allow to log on locally users who are members of the following local Active Directory groups:

• Administrators;
• Backup Operators;

If the server is promoted to an Active Directory domain controller , then the list of groups with local logon permissions is changed. The user is not allowed to log on to the AD domain controller console:

• Account Operators;
• Print Operators;
• Server Operators.

You can view the current list of groups with local logon permissions through the local Group Policy.

• Run the Local Group Policy Editor (gpedit.msc);
• Go to the GPO following section Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment ;

With this policy, you can add or remove user groups (or personal user accounts) that are allowed to log on locally. For example, if you remove the local Users group from this policy, then your users will not be allowed to log in interactively to this device.

Hint . However, users can still log on remotely through Remote Desktop Services if this group is added to the local policy Allow logon through Remote Desktop Services in the same GPO section.

After changing the policy settings, it is not necessary to reboot the computer. Changes to user rights assignment of accounts will be applied the user logs on Windows.

In the same section of the GPO, there is another Deny log on locally policy, which allows you to forcibly deny interactive logons to users. It is empty by default. You can manually add users or groups to this policy that are not allowed to log on to this computer interactively. Note that the Deny log on locally policy has a higher priority than the Allow log on locally policy.

If the user does not have the permissions to log on locally, then when he logs on to the computer after entering the password, the following message will appear:

The sign in method you’re trying to use isn’t allowed. For more info, contact your network administrator.

Always try to configure login policies so that only legitimate users can log on the device console. For security reasons, prevent service accounts from logging on to computers in your organization locally.

Our newsletter is full of great content!

Subscribe TheITBros.com newsletter to get the latest content via email.

Cyril Kardashevsky

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

How to Reset TeamViewer ID?

How to install and configure the canon scangear app.

If you have DUO installed, this will block autologin.

Leave a Comment Cancel Reply

Save my name, email, and website in this browser for the next time I comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

All about Microsoft Intune

Peter blogs about Microsoft Intune, Microsoft Intune Suite, Windows Autopilot, Configuration Manager and more

Restricting the local log on to specific users

This week is about restricting the local logon on Windows devices to specific users. Not because it is something particularly new, but simply because it is been an ask every now and then. Think about further locking down a kiosk device, for example. Restricting the local logon can be achieved by either only allowing specific users to log on, or by denying specific users to log on. In other words, whitelisting versus blacklisting. The allow-option is basically a whitelist and the deny-option is basically a blacklist. When looking at restricting the local logon, a whitelist is the easiest method to get quickly really restrictive, as only the users on the list are allowed to log on locally. Luckily, nowadays there is easy method for configuring such a whitelist with users that are allowed to log on locally on a Windows device. This post will provide some more details around that configuration, followed with the configuration steps. This post will end with showing the user experience.

Note : Keep in mind that this post is focussed on the local log on on Windows devices and not the remote log on.

Configuring the allow local log on setting

When looking at configuring the allow local log on configuration, the UserRights section in the Policy CSP is the place to look. That section contains many of the different policy settings of the User Rights Assignment Local Policies , including the Allow log on locally ( AllowLocalLogOn ) policy setting. That policy setting can be used to configure the users that are allowed to locally log on to the Windows device. Besides that, it’s also good to mention that with the latest Windows 11 Insider Preview Builds, this section of the Policy CSP, is getting more and more policy settings. Nearly all of the User Rights Assignment Local Policies are now available for configuration, including Logon as a service , Logon as a batch job , and many more. Maybe even better, all of these available policy settings – including the new policy settings that are currently still in preview – are now configurable via the Settings Catalog profile (as shown below in Figure 1).

After being familiar with the available policy settings and the configuration profile, the configuration of those policy settings is pretty straight forward. The following eight steps walk through the creation of a  Settings Catalog  profile that contains the required setting to configure the local logon, by using the Allow log on locally policy setting.

• Open the  Microsoft Intune admin center  portal and navigate to  Devices  >  Windows  >  Configuration profiles
• On the  Windows | Configuration profiles  blade, click  Create profile
• On the  Create a profile  blade, provide the following information and click  Create
• Platform : Select  Windows 10 and later  to create a profile for Windows 10 and Windows 11 devices
• Profile : Select  Settings catalog  to select the required setting from the catalog
• On the  Basics  page, provide the following information and click  Next
• Name : Provide a name for the profile to distinguish it from other similar profiles
• Description : (Optional) Provide a description for the profile to further differentiate profiles
• Platform : (Greyed out) Windows 10 and later
• On the  Configuration settings  page, as shown below in Figure 2, perform the following actions
• Select  User Rights  as category
• Select  Allow Local Log On  as setting
• Specify the required users and local groups – all on separate lines – and click  Next

• On the  Scope tags  page, configure the required scope tags and click  Next
• On the  Assignments  page, configure the assignment and click  Next
• On the  Review + create  page, verify the configuration and click  Create

Note : As these settings are now configurable via the Settings Catalog , that also takes away the challenges with multiple entries. No need to manually specify a delimiter, as Microsoft Intune takes care of that.

Experiencing the user rights configuration

After configuring the users that are allowed to log on locally to the Windows device, it’s pretty straight forward to experience the behavior. Simply try to log on to that device with a user account that is not allowed to log on locally. That will provide an experience as shown below in Figure 3. The user will receive the notification that the sign-in method is not allowed. Besides that, it’s also important to be familiar with the side effects of this configuration. The most important side effect is the impact on the self-service capabilities, like self-service PIN reset and self-service password reset. That’s simply because those capabilities rely on the temporary account defaultuser1 and that account won’t be able to log in, as only the specified users are allowed to locally log on to the Windows device. That experience is shown below in Figure 4. The user will either receive the status message of 0xc000015b , or will simply be switched back to the logon screen.

Note : The failed log on information is registered in the Security log in the Event Viewer with Event ID 4625 .

More information

For more information about the user rights configuration options, refer to the following docs.

• UserRights Policy CSP – Windows Client Management | Microsoft Learn
• Self-service password reset for Windows devices – Microsoft Entra | Microsoft Learn

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on LinkedIn (Opens in new window)
• Click to share on Reddit (Opens in new window)

32 thoughts on “Restricting the local log on to specific users”

I’d like to contribute to this.

This method does not inherently allow you to specify an EntraID group of users that you wish to deny local logon (at least it didnt use to) however i’ve found that if you use “account protection” policies populate the local group “Guests” with users from an EntraID group you can use the above stated policy to in effect acheive deny local logon for an EntraID group of users. (Via denying the local group “guests” as stated in your blog)

I use this in production, works well

Thank you for that suggestion, Temilit. Regards, Peter

I have not been able to replicate this. I followed inthecloud247’s blog post on this, but the only SID I was able to add to the Guests local group was the SID of an AAD directory role, and not one of an AAD security group.

Which version of Windows are you using? Regards, Peter

• Pingback: Microsoft Roadmap, messagecenter en blogs updates van 21-09-2023 - KbWorks

Can you use an AAD group here?

Not at this moment, Henrik. Regards, Peter

Is there currently a way to restrict interactive log in but allow elevation log in prompts? I would like to prevent Intune Admins from logging in locally but still allow elevation for installs/CMD.

Not sure you can achieve that with this policy, but I haven’t looked really deep in that use case yet. Regards, Peter

• Pingback: Intune Newsletter - 22nd September 2023 - Andrew Taylor
• Pingback: Enabling remote access for specific users on Azure AD joined devices – All about Microsoft Intune

Is there a way to specify an EntraID security group with this settings?

Hi Yoni, The last time I tried that was not possible yet. Regards, Peter

Is there a way sign in KioskUser0 automatically using User Rights?

Hi Mo, Can you provide some more details about what you’re trying to achieve? Regards, Peter

We have deployed Self-Deploy AutoPilot profile plus Kiosk Configuration Profile for single app and then assign to dynamic device group. The Self-Deploy AutoPilot process completes without any issues and Kiosk policy is applied to the device. However, the KioskUser0 should auto logging automatically after Self-Deploy AutoPilot process completes, but its not auto logging.

Any thought why KioskUser0 not auto logging automatically?

Hi Mo, That can be many things, but something I often see is the device lock configuration that is interfering. Regards, Peter

Hello Peter,

We have Azure AD Joined devices in our enviornment which are migrated from source tenant to target tenant as part of carve out project. Recently we observed that post autopilot build completition when user tried to sign in to device they were prompted error as Sign in method not allowed. However, if we tried to login to device with local admins then it allows.

Standard users not allowed to login, we do have AllowLocallyLogIn baseline policy deployed by security team but it contains Administrators and Users group both. Does on Azure AD joined devices this policy really gets validated when users trying to sign in with UPN ?

This issue is not for all users but 10% users are facing, as a workaround when we reimported hash of thier device again and reimaged device then sign in was allowed (bit strange).

Do you have any idea on this then please give some direction.

Hi Suraj, How did you migrate the devices from source tenant to the target tenant? Regards, Peter

I am seeing something similar for new devices. Again, not all, only a subset. quite often, the user can happily use the device for a period (a few days) then this occurs. LOgging onto the device locally, I am seeing the Allow Logon Locally being blank. very odd. This is using Windows 11 23H2

Hi Shaun, When that happens, do you see anything about (other) policies being applied and/or change? Regards, Peter

We have the same case, did you resolve it?

I tried to do the restriction as in your procedure, but I got the error 65000 in intune. Since then, it has been impossible to connect with ALL the accounts on the computer. Do you have a solution to go back?

Hi Simon, In that case, you should apply a counter policy with the default configuration. Regards, Peter

Hello, What do you mean when you say “you should apply a counter policy with the default configuration” ? Can you post a screenshot ?

Regards Olivier

Hi Olivier, I mean that you should configure the same policy, but with the default configuration that is available on the devices within your environment. Regards, Peter

I’ve had a similar issue. What would the correct counter policy be to reset the default logon configuration or do you have an article that details that?

Hi Mike, Easiest is to check a different device an see what the default configuration is. Regards, Peter

I know this has been a bit since you created this article, but have you been able to automate the AllowLocalLogOn to only the primary user?

I’ve been looking into this my self, but I don’t seem to be able to automate it via policy. The only way seems to be script based?

That is correct. If you want to match it with the primary user, you would need to use some custom scripting. Regards, Peter

Is there a way to rollback this policy once implemented?

Hi Ninad, You can always counter the policy by configuring the original values. Regards, Peter

Leave a Comment Cancel reply

Notify me of follow-up comments by email.

Notify me of new posts by email.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Allow logon locally option grayed out

We have a Domain Controller running on windows2012R2.

All local computers are on Windows10.

When i try to login to one of the client computer with Domain User Credentials i get an error

What could be the issue?

I tried to add users to " Allow log on locally " Policy on Local computer with Local admin login but im unable to add users or groups

Is there any work around?

please suggest.

• group-policy

• Probably UAC; use "Run as administrator" to launch the policy editor. Anyway, there already is "Everyone" listed... you can't really add much more. –  Massimo Commented Apr 4, 2016 at 19:17
• i tried running with administrator even , no Luck. . if this is not the solution, what could be the issue "The sign in method . . . . " :/ –  Uday Sriramadas Commented Apr 4, 2016 at 19:22
• 1 Seems like a user/computer GPO setting more than a local computer. Might want to check the GPO settings on the server more than on the local computer. –  Naryna Commented Apr 4, 2016 at 19:22
• May be , Do you have any idea which GPO may cause this thing? #Brandyn –  Uday Sriramadas Commented Apr 4, 2016 at 19:26
• You can use gpresult to find what GPOs are applied to the computer. –  Massimo Commented Apr 4, 2016 at 19:28

You need to manage this element via Group Policy Management. Czerw11 did a good write up of the process of using Group Policy Management to update this on your domain controllers via the Default Domain Controller Policy, you can extend this to your client policy as well.

https://czerwsup.wordpress.com/2014/11/05/allow-log-on-locally-add-new-user-greyed-out-fix-via-domain-controller-policy-settings/

Summary Steps:

• Admin Tools
• Group Policy Management
• Navigate through your domain to Default Domain Policy in your case (not Default Domain Controllers Policy as in the example)

To improve this answer, the best practice is to not edit the Default Domain Controllers Policy, but to create a GPO with these policies changes and assign it to the narrowest OU you need to affect the servers. If you edit the Default Policies you remove all of the default permissions.

• Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies
• User Rights Assignment
• Double Click on Allow Log On Locally and add your users

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged group-policy login windows-10 ..

• The Overflow Blog
• Looking under the hood at the tech stack that powers multimodal AI
• Featured on Meta
• User activation: Learnings and opportunities
• Preventing unauthorized automated access to the network

Hot Network Questions

• If directly exposed to the vacuum of space, what would be the effects on a womans reproductive system?
• Superuser and Sudo not working on Debian 12
• Why does constexpr prevent auto type deduction in this statement?
• Cyclic groups isomorphic as rings
• Can science or history be used to examine religions claims despite it being a naturalist enterprise that denies the existence of the supernatural?
• Is there a "hard problem of aesthetics?"
• Model looks dented but geometry is correct
• How to translate the letter Q to Japanese?
• Does it ever make sense to have a one-to-one obligatory relationship in a relational database?
• “…[it] became a ______ for me.” Why is "gift" the right answer?
• Fear of getting injured in Judo
• When is due diligence enough when attempting to contact a copyright holder?
• GeometricScene not working when too many polygons are given
• Why should the simulator be PPT in simulation-based security?
• Why is it surprising that the CMB is so homogeneous?
• Why a relay frequently clicks when a battery is low?
• Is it possible to monitor the current drawn by a computer from an outlet on the computer?
• Count squares in my pi approximation
• Play the Final Fantasy Prelude
• Should coffee machines be placed at the region's boundary?
• Why are no metals green or blue?
• What is a “bearded” oyster?
• Does the collapse axiom predict non-physical states in the case of measurement of continuous-spectrum quantities?
• What does St Paul mean by ' height or depth' in Romans 8:39?

Set Allow Log On Locally User Rights via Powershell, C# and CMD

Description:.

In this article, I am going to explain about how to set or configure Allow Log on Locally User rights/permission/privilege using Local Security Policy , Powershell , C# and Command Line tool.

Configure Allow log on locally user rights via Local Security Policy GUI

• Grant Allow log on locally user rights via Powershell
• Set Allow log on locally user rights via Command Line
• Set Allow log on locally user permission using C#

Follow the below steps to set Allow log on locally user rights via Local Security Policy

1. Open the Run window by pressing ‘ Windows’ + ‘ R’   keys. 2. Type the command secpol.msc in the text box and click OK.

3. Now the Local Security Policy window will be open, in that window navigate to the node User Rights Assignment ( Security Settings -> Local Polices ->User Rights Assignment ). In right side pane, search and select the policy Allow log on locally .

4. Double-click on the policy Allow log on locally , in the opened window click the button Add User or Group, select the user account you want to set Allow log on locally rights and click OK, and click Apply button to finish.

Set or Grant Allow log on locally user rights via Powershell

 We can set the  Allow log on locally user rights using Powershell by importing the third party DLL ( Carbon  ). Before you run the below script you need to the download latest Carbon files from here Download Carbon DLL .

Steps to follow to set Allow log on locally user rights  via Powershell  :

  1. Download latest Carbon files from here Download Carbon DLL .   2. If you have downloaded the files, extract the zip file and you could see the Carbon DLL inside bin folder (In my case: C:UsersAdministratorDownloadsCarbonbinCarbon.dll ).   3. Copy the below Powershell script commands and place it notepad or textfile.   4. Now you can replace your Carbon DLL path in following script for the variable $CarbonDllPath   5. You can also replace the user identity that you are going to set log on locally user rights in the variable $Identity   6. Now run as Powershell window with Admin Privilege ( Run as Administrator )   7. Copy the edited Powershell script and Run it in Powershell to configure Allow log on locally user rights.

Powershell output :

Other web site links for Carbon DLL:   https://bitbucket.org/splatteredbits/carbon/downloads   http://pshdo.com/   http://get-carbon.org/help/Grant-Privilege.html

Set Allow log on locally user right via Command Line tool

You can use the NTRights.exe utility to grant or deny user rights to users and groups from a command line or a batch file. The NTRights.exe utility is included in the Windows NT Server 4.0 Resource Kit Supplement 3. Use the below command to set log on locally user right using cmd.

Refer: http://support.microsoft.com/kb/266280

Set Log on Locally user right

Revoke Log on Locally user right

Set or Grant Allo Log on locally right/permission to user using C#

You can use the below function GrantLogonLocallyRights to set log on locally rights to user using C# code. This function uses the class LsaWrapper.

LsaWrapper class file

Share this:

Related posts.

• Change local system user account password using Powershell
• Remove user from local Administrator group using PowerShell
• Unlock AD User Account using Powershell script
• Check if AD user exists with PowerShell
• Set Office 365 user password via Powershell

Leave a Comment Cancel reply

Save my name, email, and website in this browser for the next time I comment.

Restrict User Logon to Specific Computers

In this article, you will learn how to restrict a user’s logon to specific computers.

There are multiple ways to limit which computers a user can log on to, I’ll show you multiple examples and which policy settings to use.

Topics in this article:

How User Logon Restrictions work

Example 1. restrict user logon to a specific computer, example 2. bulk edit log on to field in active directory.

• Example 2. Restrict a group of users from logon on to certain computers
• Example 3. Limit computers logon to specific users

By default, a domain user can logon to all domain computers. You can manage which users a computer can logon to with the following settings:

• Allow Log On Locally
• Deny Log on Locally
• The Active Directory Users Log On to settings

The local computers policy

Each computer has its own Local Computer Policy that is used to control various security settings such as allow or deny local logon.

When a user is added to Active Directory, they are automatically added to the Domain Users group. The Domain Users group is automatically added to the local users group on workstations when they are joined to Active Directory. Here is a breakdown of the process.

• A user is added to Active Directory.
• The user by default is added to the Domain Users group.
• The domain computer has a local group called “Users”. By default the Domain Users group is a member of this group.
• Administrators
• Backup Operators
• Users (Which contains the Domain Users group).

The Active Directory User Log On to

Each user account in Active Directory has a userWorkstations property that controls which computers the account can log on to. By default, it is set to all computers.

You can view this setting by clicking the account tab and clicking the Log On To button.

Now that you know how users are allowed to log on to all computers, lets look at some ways to limit a users logon.

In this example, I want to limit the user Albert Atkins to only have rights to logon to a specific computer (PC1). The best option for this is to use the Log On To settings in Active Directory Users and Computers.

Step 1 . Open the user account in Active Directory Users and Computers.

Step 2 . Click the Account Tab and then Log on To.

Step 3 . Enter the computer name in the field and click AD and then OK. You can add more than one computer.

Now when the user tries to logon to any computer besides PC1 they will be denied.

This method is easy when you need to limit a small group of computers. If you need to edit a large group of users then check out the next example.

In this example, I want to modify the Log On To field for 100 users. Unfortunately this is very limited with ADUC, to make this easier I’ll use the AD Pro Toolkit .

Step 1 . Create a CSV file with two columns

• ID = This is used to identify the accounts
• userWorkstations = the computers you want to limit an account to log on to.

Step 2 . Modify CSV file

You can enter multiple computers by separating with a comma.

Step 3 . Run Bulk User Updater Tool

From the AD Pro Toolkit (Click on User Management > Bulk User Modification)

Next, select your csv template and click run.

All done. I just modified the log on to field for 100 users in just a few clicks of the mouse.

Example 3. Restrict a group of users from logon on to certain computers

In this example, I have a group of users that I want to prevent from logging on to a group of computers, such as all the accounting department computers. For this, I’ll use group policy to modify the Deny log on locally policy.

Step 1 . Create an Active Directory group. I’ve named my group “Deny Logon Accounting Computers”. Then add the users you want to deny logon for.

Step 2 . Open Group Policy Management Console

Step 3 . Create a new GPO and edit the following policy setting.

Computer Configuration > Policies > Window Settings > Security Settings > Local Policies > User Rights Assignment

Step 4 . Open the Deny log on locally policy and add the group you created from step 1.

Click OK to save and close the policy.

Step 5 . Link the GPO to an OU

Now link the GPO to a group of computers in Active Directory. This can be an existing OU or you may need to create a new one. I linked this GPO to my Accounting OU.

Step 6 . Wait for GPO to refresh and test the deny logon policy.

When a user tries to logon that is a member of the Deny Logon Accounting Computers group they will be denied.

To verify the settings you can open the local group policy editor on one of the computers that has the GPO applied. Look at the deny log on locally setting and it should have your AD group configured.

Example 4. Limit computers logon to specific users

In this example, I want to limit who can logon to a group of computers. So instead of allowing everyone and blocking specific users I want to do the reverse of this (block everyone and allow specific users). This is useful for kiosk or a lab environment where you need to limit who is authorized to logon.

These steps are very similar to example 2 except this one uses the allow logon policy.

Step 1 . Open Group Policy Management Console

Step 2 . Create a new GPO and edit the following policy setting.

Step 3 . Edit the Allow log on locally policy. You can add users or groups to the policy.

Warning : You will want to add your administrator accounts to this policy or they will be denied logon. To be clear the only accounts that will have permissions to logon will be the ones list in this policy.

Step 4 . Now link the GPO to an OU that you want this policy to apply to. For example, I’m linking this to my Student Lab OU. This will limit the logons to all of these computers.

Step 5 . Wait for GPO policy to refresh and test the results.

In this article, I showed you a few way to limit which computers a user can logon to. Make sure you test these policies before rolling them out to production users and computers, a wrong setting could block all users from logging on.

If I missed a scenario please let me know in the comments and I’ll add it to the article.

Leave a Comment Cancel reply

Set and Check User Rights Assignment via Powershell

You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..

Posted by : blakedrumm on Jan 5, 2022

Local Computer

Remote computer, output types.

This post was last updated on August 29th, 2022

I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

How to get it.

All of the User Rights that can be set:

Note You may edit line 437 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Remove User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Remove User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Remove User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Remove User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Check User Rights

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

Note You may edit line 467 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Get Local User Account Rights and output to text in console:

Get Remote SQL Server User Account Rights:

Get Local Machine and SQL Server User Account Rights:

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

Output to Text in ‘C:\Temp’:

PassThru object to allow manipulation / filtering:

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.

• operationsManager
• troubleshooting
• certificates
• containerapps

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Set "deny log on locally" in Powershell?

Using powershell in Server 2008 R2, how to set the Deny Log On Locally policy for my domain?

• windows-server-2008-r2

I don't think this is possible. You'd have to set this through Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

You can set registry-based GPO settings using the PowerShell cmdlet Set-GPPrefRegistryValue but the "Deny Log On Locally" GPO option doesn't appear to have a corresponding registry value to set.

• I thought so as well, according to the official reference doc for server 2008 r2, it says there is no registry key for it. –  Gearbox Commented Mar 25, 2015 at 16:09

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged powershell windows-server-2008-r2 ..

• The Overflow Blog
• Looking under the hood at the tech stack that powers multimodal AI
• Featured on Meta
• User activation: Learnings and opportunities
• Preventing unauthorized automated access to the network

Hot Network Questions

• Consequences of registering a PhD at german university?
• Does Tempestuous Magic allow you to avoid attacks of opportunity *after* they have already triggered?
• Emergency belt repair
• How to interpret odds ratio for variables that range from 0 to 1
• Is it ok if I was wearing lip balm and my bow touched my lips by accident and then that part of the bow touched the wood on my viola?
• Why is the #16 always left open?
• Is there a way to hide/show seams on model?
• 〈ü〉 vs 〈ue〉 in German, particularly names
• How to assign a definition locally?
• Some of them "have no hair"
• Does the collapse axiom predict non-physical states in the case of measurement of continuous-spectrum quantities?
• Which law(s) bans medical exams without a prescription?
• Is "Canada's nation's capital" a mistake?
• How to do smooth merging of two points using tikzpicture
• How much would you trust a pre-sales inspection from a "captured" mechanic?
• Does "Speak with animals" allow you to improve the attitude of an animal like "wild empathy"?
• What does St Paul mean by ' height or depth' in Romans 8:39?
• Enter a personal identification number
• Does General Relativity predict Mercury's orbital precession without other planets?
• How can "chemical-free" surface cleaners work?
• What is a “bearded” oyster?
• Frequent Statistics updates in SQL Server 2022 Enterprise Edition
• What early 60s puppet show similar to fireball XL5 used the phrase "Meson Power?"
• Was the total glaciation of the world, a.k.a. snowball earth, due to Bok space clouds?

WinSecWiki  > Security Settings  > Local Policies  > User Rights  > User Rights In-Depth  > Deny logon locally

Deny logon locally

AKA: SeDenyInteractiveLogonRight, Deny logon locally

Default assignment: None

This is the opposite of  Allow log on locally  and any user with both rights will be denied the right to logon interactively.  See discussion of logon rights.

If you inadvertently assign this right to Everyone you will not be able to logon to the computer with any account including administrator accounts. In such a case you will have to revoke this right through

• group policy if the computer is a member of a domain
• remotely with the  ntrights  resource kit utility
• remotely replacing the %SystemRoot%\Security\Database\Secedit.sdb file from another working computer running the same operating system.

Normally this right would only be used for special exceptions where a user who should not be able to logon locally gets that right through membership in a group from which you cannot remove him for other reasons.

Back to top

User name: Password:     September 2024 Patch Tuesday | | Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved. Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact [email protected]. | | IT Administration Forum PowerShell Forum Community Forum PowerShell Group Earning as 4sysops member Member Ranks Member Leaderboard – This Month Member Leaderboard – This Year Member Leaderboard – All-time Author Leaderboard – 30 Days Author Leaderboard – 365 Days Cloud Computing Write for 4sysops User rights assignment in Windows Server 2016 4sysops - The online community for SysAdmins and DevOps Built-in local security principals and groups Center for internet security, local policies/user rights assignment. Recent Posts Microsoft Remote Desktop for Mac not working after upgrade (errors 0x3000064 and 0x3000066) - Thu, Aug 15 2024 UniGetUI (formerly WingetUI): GUI for winget, Chocolatey, and PowerShell Gallery - Wed, Jul 17 2024 What is Microsoft Dev Home? - Wed, Jul 3 2024 Security policy settings are sets of rules that control various aspects of protection. They include account policies, local policies, user rights assignment, the Windows firewall, software restrictions, and so on. There are several ways to configure security policy settings. The most common are: Group policy objects (GPO) – Used in Active Directory domains to configure and regularly reapply security settings to multiple computers. Local security policy (secpol.msc) – Used to configure a single (local) computer. Note that this is a one-time action. If another administrator changes these settings, you will need to manually change them back to the required state. As most organizations use an Active Directory domain, it is preferred to apply security settings via group policies. You should have at least three security baselines created and linked in your domain, based on the following machine types: Domain Controllers (DC) Member Servers (MS) User Workstations Configuring user rights assignment via Goup Policy If you have multiple versions of operating systems (OS) running on these machines, you should create separate baselines for each OS version, as some settings might not be available. This also enables stricter configuration for older systems, as they are usually less secure. Security policies do not support generated group names The following groups are used throughout this article: Administrators – Members of this group have full, unrestricted access to the computer. Even if you remove some privileges from the Administrators group, a skilled administrator can still bypass those settings and gain control of the system. Only add highly trusted people to this group. Authenticated Users – A special security principal that applies to any session that was authenticated using some account, such as a local or domain account. Local account and member of Administrators group – A pseudogroup available since Windows Server 2012 R2. It applies to any local account in the Administrators group and is used to mitigate pass-the-hash attacks (lateral movement). Remote Desktop Users – Members of this group can access the computer via Remote Desktop services (RDP). Guests – By default, this group has no permissions. I don't think there is any need to use the Guest account and group today. The Center for Internet Security (CIS) is a well-known non-profit organization that focuses on cybersecurity. To improve your knowledge of cybersecurity, you can access their free materials: CIS Controls – A set of 20 basic and advanced cybersecurity actions (controls). Using these, you can stop the most common attacks. CIS Benchmarks – Guidelines with specific configuration steps and detailed explanations. CIS Benchmarks are available for various products such as Windows Server, SQL Server, Apple iOS, and many more. Both can be downloaded in exchange for your email address. There's no need to worry—there will be no further email, unless you choose to receive them. Many companies and institutions create their security baselines based on CIS. I recommend you read CIS Controls. It really helped me to understand the importance of various security actions and settings. CIS Benchmarks example User rights assignments are settings applied to the local device. They allow users to perform various system tasks, such as local logon, remote logon, accessing the server from network, shutting down the server, and so on. In this section, I will explain the most important settings and how they should be configured. For each setting, the following format is used: Name of the setting: Recommended value, or values Access Credential Manager as a trusted caller: No one (empty value) Access to the Credential Manager is granted during Winlogon only to the user who is logging on. Saved user credentials might be compromised if someone else has this privilege. Access this computer from the network: Administrators, Authenticated Users Required for users to connect to the computer and its resources, such as an SMB share, shared printers, COM+, etc. If you remove this user right on the DC, no one will be able to log on to the domain. Note : On DCs, you should also add the “ENTERPRISE DOMAIN CONTROLLERS“ group. Allow log on locally: Administrators The default configuration includes the Users group, which allows a standard user to log on to the server console. Limit this privilege only to administrators. Allow log on through Remote Desktop Services: Administrators, Remote Desktop Users It's common practice that some applications are used via RDP sessions by standard users. This privilege is also frequently required for remote assistance offered by an organization's helpdesk. If a server is running Remote Desktop Services with the Connection Broker role, the Authenticated Users group must also be added to this privilege. Note: On the DC, it is recommended to allow only administrators to connect via RDP. Back up files and directories: Administrators This is a sensitive privilege that allows a user to bypass NTFS permissions (only via an NTFS API interface, such as NTBACKUP). A malicious user could backup and restore data on a different computer, thereby gaining access to it. Deny access to this computer from the network/Deny log on through Terminal Services: Local account and member of Administrators group, Guests The default value is only Guests. You should add the second group to prevent pass-the-hash attacks, so if a local elevated user is compromised, it cannot be used to elevate privileges on any other network resource, or access it via RDP. Force shutdown from a remote system/Shut down the system: Administrators Only administrators should be able to shut down any server, to prevent denial-of-service (DoS) attacks. Manage auditing and security log: Administrators This is a sensitive privilege, as anyone with these rights can erase important evidence of unauthorized activity. Note: If you are running MS Exchange, the “Exchange Servers” group must be added to DCs. Restore files and directories: Administrators Attackers with this privilege can overwrite data, or even executable files used by legitimate administrators, with versions that include malicious code. Take ownership of files or other objects: Administrators User having this privilege can take control (ownership) of any object, such as a file or folder, and expose sensitive data. Deny log on as a batch job/Deny log on as a service/Deny log on locally: Guests To increase security, you should include the Guests group in these three settings. Debug programs/Profile single process/Profile system performance: Administrators This setting allows a user to attach a debugger to a system or process, thereby accessing critical, sensitive data. It can be used by attackers to collect information about running critical processes, or which users are logged on. Change the system time: Administrators, Local Service Changes in system time might lead to DoS issues, such as unavailability to authenticate to the domain. The Local Service role is required for the Windows Time service, VMware Tools service, and others to synchronize system time with the DC or ESXi host. Create a token object: No one (empty value) Users with the ability to create or modify access tokens can elevate any currently logged on account, including their own. Impersonate a client after authentication: Administrators, Local Service, Network Service, Service An attacker with this privilege can create a service, trick a client into connecting to that service, and then impersonate that account. Note: For servers running Internet Information Services (IIS), the "IIS_IUSRS" account must also be added. Load and unload device drivers: Administrators Malicious code can be installed that pretends to be a device driver. Administrators should only install drivers with a valid signature. I hope this article helped you to understand why it is important to define a security baseline for your systems. Many of the settings are already configured properly following server deployment; however, if they are not controlled by a GPO, they can be manipulated by malicious users. Be careful to whom you grant administrator permissions. Windows Server security features and best practices Security options in Windows Server 2016: Accounts and UAC Security options in Windows Server 2016: Network security IT Administration News Apple Intelligence Available in These Additional 7 Countries Next Year – MacRumors OpenAI Says It’s Fixed Issue Where ChatGPT Appeared to Be Messaging Users Unprompted Microsoft unveils Office LTSC 2024 for users that remain stubbornly offline Meta to Train AI Models Using Public U.K. Facebook and Instagram Posts How Google and the C2PA are increasing transparency for gen AI content Read All IT Administration News Join our IT community and read articles without ads! Do you want to write for 4sysops? We are looking for new authors. How to change the SSH port on Ubuntu 24.04 Block AI scrapers and other web parasites with Cloudflare Recover data from corrupted BitLocker drives with repair-bde and key packages How not to block AI crawlers: robots.txt, authentication, CAPTCHA Determine effective password policy for AD users with PowerShell Microsoft Purview AI Hub – Monitor and block AI applications Send email notifications about expiring Active Directory passwords with a PowerShell script Unifying endpoint management and security: An overview of ManageEngine Endpoint Central New storage features in Windows Server 2025: NVMe-OF initiator, update for S2D, deduplication for ReFS E-MailRelay: Free SMTP server for Windows Receive critical Microsoft security alerts by email Addressing OpenSSH vulnerabilities CVE-2024-6387 and CVE-2024-6409 Authenticator backup: Microsoft, Google, Amazon, Authy Delegated Managed Service Accounts in Windows Server 2025 List groups in Linux Install Let’s Encrypt certificates on Windows with Certbot and export as PFX Create and remove group in Linux, add user, switch primary group Audit and disable NTLMv1 Enable FIDO passkey authentication for IAM users in AWS Enable Microsoft Entra ID passkey authentication Created a domain account to use as a service account and then tried to run powershell cmdlets against the active RDS management server. Gave that account local admin access on the broker servers and then was able to get further. Got the error “Access is denied” when trying to run the invoke-RDUserLogoff(with correct hostserver and unifiedsessionID values) to log off a session using that account. Need to know what permissions should be granted to the account to provide ability to run this command and where like on the broker or the session host. I can’t run the RD cmdlets on the RD broker to remove a user session without local administrator privileges on the broker and session host. I need to know what user permissions are necessary to run these cmdlets as giving local admin is not desired. Sir we are having user1 in server1. We want to collect logs of server1 from server2 using credentials of user1. Surprisingly even after entering the credentials of user1 in event viewer it is taking loggedin credentials of the user logged into server2. Leave a reply Click here to cancel the reply Please enclose code in pre tags: <pre></pre> Your email address will not be published. Required fields are marked * Notify me of followup comments via e-mail. You can also subscribe without commenting. Receive new post notifications Subscribe to Newsletter Follow 4sysops. Please ask IT administration questions in the forums . Any other messages are welcome. Log in with your credentials or      Create an account Forgot your details? Create account. This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Deny log on through Remote Desktop Services 1 contributor Windows 11 Windows 10 Describes the best practices, location, values, policy management, and security considerations for the Deny log on through Remote Desktop Services security policy setting. This policy setting determines which users are prevented from logging on to the device through a Remote Desktop connection through Remote Desktop Services. It's possible for a user to establish a Remote Desktop connection to a particular server, but not be able to sign in to the console of that server. Constant: SeDenyRemoteInteractiveLogonRight Possible values User-defined list of accounts Not defined Best practices To control who can open a Remote Desktop connection and sign in to the device, add the user account to or remove user accounts from the Remote Desktop Users group. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Default values The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. Server type or GPO Default value Default Domain Policy Not defined Default Domain Controller Policy Not defined Stand-Alone Server Default Settings Not defined Domain Controller Effective Default Settings Not defined Member Server Effective Default Settings Not defined Client Computer Effective Default Settings Not defined Policy management This section describes features, tools, and guidance to help you manage this policy. A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. The Remote System property controls settings for Remote Desktop Services ( Allow or prevent remote connections to the computer ) and for Remote Assistance ( Allow Remote Assistance connections to this computer ). Group Policy This policy setting supersedes the Allow log on through Remote Desktop Services policy setting if a user account is subject to both policies. Group Policy settings are applied in the following order. They overwrite settings on the local device at the next Group Policy update. Local policy settings Site policy settings Domain policy settings Organizational unit policy settings When a local setting is greyed out, it indicates that a GPO currently controls that setting. Security considerations This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. Vulnerability Any account with the right to sign in through Remote Desktop Services could be used to sign in to the remote console of the device. If this user right isn't restricted to legitimate users who need to sign in to the console of the computer, malicious users might download and run software that elevates their user rights. Countermeasure Assign the Deny log on through Remote Desktop Services user right to the built-in local guest account and all service accounts. If you have installed optional components, such as ASP.NET, you may want to assign this user right to other accounts that are required by those components. Potential impact If you assign the Deny log on through Remote Desktop Services user right to other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Accounts that have this user right can't connect to the device through Remote Desktop Services or Remote Assistance. You should confirm that delegated tasks aren't negatively affected. Related topics User Rights Assignment Additional resources 330 COMMENTS Deny log on locally Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. ... If you assign the Deny log on locally user right to other accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to ... Allow or Prevent Users and Groups to Sign in Locally to Windows 10 Learn how to allow or prevent specific users and groups from signing in locally to a Windows 10 PC using Local Security Policy or Command Prompt. See step-by-step instructions, screenshots, and examples for each option. How to Prevent/Allow Log on Locally via GPO? Learn how to manage local logon permissions on Windows 10 and Windows Server 2019 using Group Policy Editor. Find out how to add or remove user groups or accounts that are allowed or denied to log on interactively to a computer. Allow log on locally Learn how to manage the Allow log on locally user right that determines which users can start an interactive session on the device. See the default values, best practices, policy management, and security considerations for this setting. Deny Users and Groups to Sign in Locally to Windows 10 Learn how to use Local Security Policy or Command Prompt to prevent specific users and groups from logging on locally to a Windows 10 PC. Follow the step-by-step instructions and screenshots for each option. Restricting the local log on to specific users Learn how to configure the Allow log on locally policy setting in the User Rights section of the Policy CSP to limit the users that can log on locally to a Windows device. See the steps, the user experience and the side effects of this configuration. Change User Rights Assignment Security Policy Settings in Windows 10 Learn how to use secpol.msc command to open Local Security Policy and manage user rights and permissions in Windows 10. See step-by-step instructions and screenshots for adding and removing users and groups from user rights policies. Deny and allow workstation logons with Group Policy Learn how to use Group Policy to deny or allow users to log on locally to Windows workstations. See the settings, examples, and tips for managing user access to computers in Active Directory environments. Allow logon locally option grayed out If you edit the Default Policies you remove all of the default permissions. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies. User Rights Assignment. Double Click on Allow Log On Locally and add your users. Share. User Rights Assignment Learn how to configure user rights for logging on and accessing computer and domain resources in Windows 10 and 11. User rights include logon rights, permissions, and privileges that can be managed in Group Policy or Local Group Policy Editor. Set Allow Log On Locally User Rights via Powershell, C# and CMD Learn how to configure Allow Log on Locally user rights/permission/privilege using Local Security Policy, Powershell, C# and Command Line tool. See the steps, scripts, commands and code examples for each method. Restrict User Logon to Specific Computers Computer Configuration > Policies > Window Settings > Security Settings > Local Policies > User Rights Assignment. Step 3. Edit the Allow log on locally policy. You can add users or groups to the policy. Warning: You will want to add your administrator accounts to this policy or they will be denied logon. To be clear the only accounts that will ... Set and Check User Rights Assignment via Powershell Learn how to use Powershell scripts to add, remove, and check user rights assignment for local or remote computers. See examples of how to grant Logon as a Service Right for a user with the script Set-UserRights.ps1. Deny interactive logon to a specific group with Group Policy Learn how to prevent users from logging on interactively to a specific group or computer using Group Policy. See the steps, options and limitations of this method and the alternatives. Blocking Remote Use of Local Accounts Learn how to use new Windows features to block remote logons by local accounts and prevent "pass the hash" attacks. See the policy change for Windows Server 2012 R2 Member Server baseline and the exceptions for failover cluster scenarios. Set "deny log on locally" in Powershell? I don't think this is possible. You'd have to set this through Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. You can set registry-based GPO settings using the PowerShell cmdlet Set-GPPrefRegistryValue but the "Deny Log On Locally" GPO option doesn't appear to have a corresponding registry value to set. GPO to allow only certain groups access to a PC? Start by: 1-putting all the users you need to restrict access from in a group. 2-putting all the users you need to allow access to in a group. In AD Users & Computers, goto the Computers container, right-click the Computer you need to restrict access to > Properties, Security tab, Advanced. Add the group you want to allow access, and set ... Deny logon locally Learn what deny logon locally means and how it differs from allow logon locally. Find out how to assign and revoke this right and what are the consequences of assigning it to Everyone. User rights assignment in Windows Server 2016 Learn how to configure security policy settings, especially user rights assignment, in Windows Server 2016. Find out which group is assigned to the allow log on locally right by default for workstations and member servers. UserRights Policy CSP Deny log on as a service -This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. ... Windows Settings > Security Settings > Local Policies > User Rights Assignment ... User Rights Assignment Learn how to configure user rights settings in Group Policy for Windows operating systems. User rights control logon methods, access to resources, and permissions for users and processes. Intune Device Configuration to Deny Local Log On by a local admin user Microsoft Intune Configuration. A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities. The process of arranging or setting up computer systems, hardware, or software. Accepted answer. Nick Hogarth 3,436. Deny log on through Remote Desktop Services Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. ... malicious users might download and run software that elevates their user rights. Countermeasure. Assign the Deny log on through Remote Desktop Services user right to the built-in local guest account and all service accounts. If you have ... essay homework paper phd project resume review speech study