Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Describes the best practices, location, values, policy management, and security considerations for the Deny log on locally security policy setting. This policy setting determines which users are prevented from logging on directly at the device's console.
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
This policy setting supersedes the Allow log on locally policy setting if a user account is subject to both policies. Settings are applied in the following order through a Group Policy Object GPO , which will overwrite settings on the local computer at the next Group Policy update:. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
Any account with the ability to log on locally could be used to log on at the console of the device. If this user right is not restricted to legitimate users who must log on to the console of the device, unauthorized users might download and run malicious software that elevates their user rights. Assign the Deny log on locally user right to the local Guest account.
If you have installed optional components such as ASP. NET, you may want to assign this user right to additional accounts that are required by those components. If the server is promoted to an Active Directory domain controller , then the list of groups with local logon permissions is changed. The user is not allowed to log on to the AD domain controller console:.
You can view the current list of groups with local logon permissions through the local Group Policy. With this policy, you can add or remove user groups or personal user accounts that are allowed to log on locally.
For example, if you remove the local Users group from this policy, then your users will not be allowed to log in interactively to this device. Stribor45 wrote: I think I did it but I think i also locked "admin" group which is me. You'll have to log in to the DC using a local admin account to change it back. What exactly did you do and where you can't log as admin on workstation or server?
If you use gpedit then you can deny log on locally for both local and domain users. Stribor45 Nov 9, at UTC. Stribor45 Nov 13, at UTC. When I set policy locally does that overrides anything that was set globally? Stribor45 wrote: last question. This topic has been locked by an administrator and is no longer open for commenting.
Read these next
0コメント