Allowing or disallowing local (interactive) logon for users on machines is possible using Windows’ local security settings. We’ll look at how to handle local logon rights on Windows 10 and Windows Server 2019 in this article.
By default, Windows 10 and Windows Server 2019 allow users who belong to the following local security groups to log on locally:
Users; Administrators; Backup Operators
The list of groups with local logon permissions changes if the server is promoted to an Active Directory domain controller. The user is not permitted to access the AD domain controller interface for the following reasons:
- Backup Operators;
- Print Operators;
- Server Operators.
- Backup Operators;
- Print Operators;
- Server Operators.
Through the local Group Policy, you may see the current list of groups having local logon permissions.
- Gpedit.msc is the Local Group Policy Editor;
- Go to the GPO section after that. User Rights Assignment > Computer Configuration > Windows Settings > Security Settings > Local Policies >
- Locate and open the Allow log on locally parameter’s settings;
You can add or remove user groups (or personal user accounts) that are allowed to log on locally with this policy. If you remove the local Users group from this policy, for example, your users will be unable to log in to this device interactively.
Hint. However, if this group is added to the local policy, users can still log on remotely through Remote Desktop Services. In the same GPO section, allow logon using Remote Desktop Services.
It is not essential to restart the computer after updating the policy settings. Changes to account user rights will be reflected in the user logs on Windows.
Another Deny log on local policy may be found in the same part of the GPO, allowing you to forcibly deny interactive logons to users. By default, it is empty. You can add persons or groups who are not authorized to log on to this computer interactively to this policy manually. It’s worth noting that the Deny log on local policy takes precedence over the Allow log on local policy.
If the user does not have the necessary permissions to log on locally, the following notice will appear when he connects to the computer after providing his password:
The sign-in technique you’re attempting isn’t permitted. Contact your network administrator for additional information.
Always try to set up login policies that allow only authorized users to access the device console. Prevent service accounts from logging on to PCs in your organization’s local network for security reasons.
