WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Allow log on locally

Allow log on locally

AKA: SeInteractiveLogonRight, Allow log on locally

Default assignment on workstations and member servers: Administrators, Backup Operators, Power Users, Users, and Guest

Default assignment on domain controllers: Account Operators, Administrators, Backup Operators, Print Operators, and Server Operators

This right controls who can logon interactively at the local console of the computer. This right should have been named “Allow log on interactively” since the term “interactive” is used everywhere else in Windows for this type of logon. Allow log on locally has nothing to do with local user accounts in the SAM. Only allow this right for user who you wish to be able to logon at the local keyboard and monitor of computer. Note that by default any user in the forest can logon to any workstation or member server because the local Users group includes Domain Users as a member. And even on domain controllers this right’s default assignments are too lax for most environments given that they allow operators to logon locally.

In Windows 2000 (pre SP2) this right also allows you to logon via Terminal Services. In Windows 2000 SP2, XP and 2003, Microsoft added the Allow logon through Terminal Services right and removed Terminal Services logon ability from Allow log on locally.

The Deny logon locally logon right overrides this right.

Use of this right does not generate a Privilege Use event in the Windows security log but local logons do generate event ID 528/4624 with logon type 2. 

Changes to these logon rights assignments are logged by event IDs 621/4717 and 622/4718.

More information at Logon Rights.

Back to top


Additional Resources