WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Allow Terminal Services logon

Allow logon through Terminal Services

AKA: SeRemoteInteractiveLogonRight, Allow logon through Terminal Services 

Default assignment on workstations and member servers: Administrators, Remote Desktop Users 

Default assignment on domain controllers: Administrators 

This right first appears in Windows 2000 Service Pack 2 and continues in XP and 2003. This right controls who can establish remote desktop (aka Terminal Services) connections to this computer. As such this is an important right to properly control. The default assignments are reasonably appropriate. 

The Deny logon through Terminal Services right overrides this right. 

Use of this right does not generate a Privilege Use event in the Windows security log but remote desktop logons do generate event ID 540/4624 with logon type 10. 

Changes to these logon rights assignments are logged by event IDs 621/4717 and 622/4718.

More information at Logon Rights.

Back to top


Upcoming Webinars
    Additional Resources