WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Deny logon locally

Deny logon locally

AKA: SeDenyInteractiveLogonRight, Deny logon locally

Default assignment: None

This is the opposite of Allow log on locally and any user with both rights will be denied the right to logon interactively. See discussion of logon rights.

If you inadvertently assign this right to Everyone you will not be able to logon to the computer with any account including administrator accounts. In such a case you will have to revoke this right through

  • group policy if the computer is a member of a domain
  • remotely with the ntrights resource kit utility
  • remotely replacing the %SystemRoot%\Security\Database\Secedit.sdb file from another working computer running the same operating system.

Normally this right would only be used for special exceptions where a user who should not be able to logon locally gets that right through membership in a group from which you cannot remove him for other reasons.

Back to top


Upcoming Webinars
    Additional Resources