Daniel Petri is a world-known IT professional, technical trainer and creator of one of the world’s largest IT knowledge bases – www.petri.com. Daniel consults to leading global Fortune 1000 companies in Microsoft IT Infrastructure and Engineering strategies.

For his contribution to the IT Pro community Daniel has received the Microsoft Most Valuable Professional (MVP) award for the 14th time. Daniel’s professional certifications include Microsoft Certified Technology Specialist, Microsoft Certified Systems Engineer, Microsoft Certified System Administrator and Microsoft Certified Trainer.

While working for Microsoft, Daniel serves as a Senior Premier Field Engineer (PFE) specializing in Windows Server OS and Active Directory.
Daniel now works for ObserveIT, makers of the Insider Threat Detection software, where he holds the role of Senior Solutions Architect, where he manages large deployment projects and partner and customer training programs.

In his spare time, Daniel rides a 1200cc 2015 model Ducati Multistrada 1200S bike and manages the Israeli Bikers forum.

You can contact Daniel at daniel-at-petri-dot-co-dot-il.

Logon Locally User Right

How can I easily give someone the Log On Locally user right on a Windows 2000 and Windows Server 2003 Domain Controllers?

In Windows 2000 (and Windows Server 2003) servers that are configured as Domain Controllers only 5 groups have the right to log on locally on the computer. Those groups are:

Administrators, Account, Print, Backup, and Server Operators.

Without this right any user who will try to log on locally will receive this message:

(The local policy of this system does not permit you to log-on interactively)

To give a specific user or group the right to log on locally on the DC you must edit the Domain Controller GPO (or create another one and link it to the Domain Controllers OU in Active Directory Users and Computers). Most novice IT personnel find it harder to add user rights on W2K than in Windows NT 4. I agree, but life goes on, doesn’t it?

To make life easier run this command and you won’t have to edit the GPO:

You must have the NTRIGHTS.EXE program from the W2K Resource kit (or d/l it from HERE).

(You can substitue USERS with the name of the user or group you want to configure).

If you still want to do it via the GPO, do the following:

  1. Go to Start, Settings, Control Panel, Administrative Settings.
  2. Double-click Domain Controller Security Policy.

  3. Go to Security Settings, Local Policies, User Rights.

  1. Double-click Logon Locally on the right pane.
  2. Click Add, Browse, and double click the user or group you want to add.

  1. Click Ok all the way out.
  2. Reboot your computer, or even better, use SECEDIT:

By the way, in Windows Server 2003 the same user right is called “Allow Logon Locally”, and to refresh the policy you need to run a different command:

When you click Add within the right settings you get the Windows XP style box:

That’s something we’ll have to get used to, although I can’t say I like it myself.

Related Topics:

  • Windows Server 2003

    Don't have a login but want to join the conversation? Sign up for a Petri Account