Logon Locally User Right
How can I easily give someone the Log On Locally user right on a Windows 2000 and Windows Server 2003 Domain Controllers?
In Windows 2000 (and Windows Server 2003) servers that are configured as Domain Controllers only 5 groups have the right to log on locally on the computer. Those groups are:
Administrators, Account, Print, Backup, and Server Operators.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Without this right any user who will try to log on locally will receive this message:
(The local policy of this system does not permit you to log-on interactively)
To give a specific user or group the right to log on locally on the DC you must edit the Domain Controller GPO (or create another one and link it to the Domain Controllers OU in Active Directory Users and Computers). Most novice IT personnel find it harder to add user rights on W2K than in Windows NT 4. I agree, but life goes on, doesn’t it?
To make life easier run this command and you won’t have to edit the GPO:
ntrights -u Users +r SeInteractiveLogonRight
You must have the NTRIGHTS.EXE program from the W2K Resource kit (or d/l it from HERE).
(You can substitue USERS with the name of the user or group you want to configure).
If you still want to do it via the GPO, do the following:
- Go to Start, Settings, Control Panel, Administrative Settings.
- Double-click Domain Controller Security Policy.
- Go to Security Settings, Local Policies, User Rights.
- Double-click Logon Locally on the right pane.
- Click Add, Browse, and double click the user or group you want to add.
- Click Ok all the way out.
- Reboot your computer, or even better, use SECEDIT:
secedit /refreshpolicy machine_policy /enforce
By the way, in Windows Server 2003 the same user right is called “Allow Logon Locally”, and to refresh the policy you need to run a different command:
When you click Add within the right settings you get the Windows XP style box:
That’s something we’ll have to get used to, although I can’t say I like it myself.