WinSecWiki
Windows Security Settings
Articles
WinSecWiki
»
Windows Security Settings
»
Local Policies
»
User Rights Assignment
»
User Rights In-Depth
»
Allow log on locally
Allow log on locally
Allow log on locally
AKA: SeInteractiveLogonRight, Allow log on locally
Default assignment on workstations and member servers: Administrators, Backup Operators, Power Users, Users, and Guest
Default assignment on domain controllers: Account Operators, Administrators, Backup Operators, Print Operators, and Server Operators
This right controls who can logon interactively at the local console of the computer. This right should have been named “Allow log on interactively” since the term “interactive” is used everywhere else in Windows for this type of logon. Allow log on locally has nothing to do with local user accounts in the SAM. Only allow this right for user who you wish to be able to logon at the local keyboard and monitor of computer. Note that by default any user in the forest can logon to any workstation or member server because the local Users group includes Domain Users as a member. And even on domain controllers this right’s default assignments are too lax for most environments given that they allow operators to logon locally.
In Windows 2000 (pre SP2) this right also allows you to logon via Terminal Services. In Windows 2000 SP2, XP and 2003, Microsoft added the
Allow logon through Terminal Services
right and removed Terminal Services logon ability from Allow log on locally.
The
Deny logon locally logon
right overrides this right.
Use of this right does not generate a
Privilege Use
event in the Windows security log but local logons do generate event ID
528
/
4624
with logon type 2.
Changes to these logon rights assignments are logged by event IDs
621
/
4717
and
622
/
4718
.
More information at
Logon Rights
.
User Comments
by
Kevin
added Thursday, March 03, 2011
How does this affect "Service Accounts" utilised by applications to start up with certain privileges? For example if I have an anti-virus user account utilised as a service account and this account has been defined as a domain administrator within the domain to function e.g. McafeeEPOSVC, Sharepoint etc. Would the application utilising this account to start, still be able start up if the "Deny logon locally logon right" has been set for the McafeeEPOSVC, Sharepoint service accounts?<br /><br />I have not been able to verify this, is it possible for someone to login to systems if they know the passwords for service accounts (Part of domain administrators group) ? With so many service accounts and in environments with multiple administrators where the passwords may not be centrally kept and managed I see it as a mitigating control to deny service accounts interactive logon. In the event a service account's becomes known the intruder would not be able to login to the system directly. But I have not been able to establish whether it is in fact possible to interactive login to systems if you know the password of the service accounts?
Helpful?
Yes
No
by
RandyFranklinSmith...
added Thursday, March 03, 2011
Kevin, when a service starts up the logon type is "service" and requires the "logon as a service" right not this right.
Marked helpful 0 times
based on 1 vote.
Helpful?
Yes
No
Add Your Comments
Name:
*
Email Address:
Web Address:
Verification Code:
*
Details
Rated 4 stars based on 1 vote.
Article has been viewed 5,913 times.
Options
Bookmark Article
Social Bookmarks
Comments RSS
Upcoming Webinars
Additional Resources
Security Log Quick Reference Chart
Security Log Resource Kit
Learn about the SharePoint Audit Log
Patch Tuesday Analysis
Workstation Configuration Management
Home
>
Windows
>
WinSecWiki
User name:
Password:
/
Forgot?
Register
Home