Get Set to Let Users Log on Locally

Get Set to Let Users Log on Locally
By Jason Rush, Technical Writer, Microsoft Corp.

Group Policy is the primary Windows 2000 tool for configuring administrative policy on users and computers. By default, the account operators, administrators, backup operators, print operators, server operators, Internet guest account, and Terminal Services user account are assigned the right to log on locally to a Windows 2000-based domain controller.

To grant or remove the right to log on locally:

  1. Start User Manager for Domains.
  2. Click Policies, and then click User Rights.
  3. In the Rights field, select Log On Locally.
  4. In the Grant To field, select the users and/or groups to whom you want to grant this right.

You can use also the Microsoft Management Console Group Policy Editor snap-in in your Windows 2000 Server-based computer to assign "Log on locally" user rights to other users and groups:

  1. Click Start, click Run, type mmc, and then press ENTER.
  2. Click Console, and then click Add/Remove Snap-in, click Add, and then double-click Group Policy snap-in.
  3. Click Browse for the group policy object, and then double-click the folder for your domain controller.
    NOTE: To

Requires Free Membership to View

  1. give users and groups "log on locally" permissions to specific domain controllers, in this step, replace "Default Domain Controllers Policy" with the "Local Policy" of the domain controller.
  2. Double-click Default Domain Controllers Policy, click Finish, click Close, and then click OK.
  3. Click Default Domain Controllers Policy, double-click the Computer Configuration branch to expand it, and then double-click the Windows Setting branch to expand it.
  4. Double-click the Security Settings branch to expand it, and then double-click the Local Policies branch to expand it.
  5. Double-click the User Rights Assignment branch to expand it, double-click the Log On Locally branch to expand it, and then click Add.
  6. Click the users or groups you want to add, click OK, and then click OK.

Quit the Group Policy Editor snap-in by clicking Console, clicking Exit, and then clicking .

NOTE: You do not have to save the console settings for the change to take effect. Active Directory replication must also occur between all domain controllers, and this could take up to 3 hours unless replication is forced.

This was first published in December 2000

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.