Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Windows Server 2003

Logon Locally User Right

How can I easily give someone the Log On Locally user right on a Windows 2000 and Windows Server 2003 Domain Controllers?

In Windows 2000 (and Windows Server 2003) servers that are configured as Domain Controllers only 5 groups have the right to log on locally on the computer. Those groups are:

Administrators, Account, Print, Backup, and Server Operators.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Without this right any user who will try to log on locally will receive this message:

(The local policy of this system does not permit you to log-on interactively)

To give a specific user or group the right to log on locally on the DC you must edit the Domain Controller GPO (or create another one and link it to the Domain Controllers OU in Active Directory Users and Computers). Most novice IT personnel find it harder to add user rights on W2K than in Windows NT 4. I agree, but life goes on, doesn’t it?

To make life easier run this command and you won’t have to edit the GPO:

​ntrights -u Users +r SeInteractiveLogonRight

You must have the NTRIGHTS.EXE program from the W2K Resource kit (or d/l it from HERE).

(You can substitue USERS with the name of the user or group you want to configure).

If you still want to do it via the GPO, do the following:

  1. Go to Start, Settings, Control Panel, Administrative Settings.
  2. Double-click Domain Controller Security Policy.

  3. Go to Security Settings, Local Policies, User Rights.

  1. Double-click Logon Locally on the right pane.
  2. Click Add, Browse, and double click the user or group you want to add.

  1. Click Ok all the way out.
  2. Reboot your computer, or even better, use SECEDIT:
​secedit /refreshpolicy machine_policy /enforce

By the way, in Windows Server 2003 the same user right is called “Allow Logon Locally”, and to refresh the policy you need to run a different command:

​gpupdate /force

When you click Add within the right settings you get the Windows XP style box:

That’s something we’ll have to get used to, although I can’t say I like it myself.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: