WinSecWiki > Security Settings > Local Policies > User Rights > Logon Rights

Logon Rights

10 of the privileges in this list are “logon rights” which control if and how accounts can logon to the system. There are five logon types in Windows. Here you will find an “allow” and “deny” right for each logon type making for a total of 10 logon rights. If a user ends up with both the allow and deny rights for a given logon type, deny overrides allow.

Logon Type	Allow	Deny
Interactive	Allow log on locally	Deny log on locally
Network	Access this computer from the network	Deny access to this computer from the network
Remote Interactive	Allow log on through Terminal Services	Deny log on through Terminal Services
Service	Log on as a service	Deny log on as a service
Batch	Log on as a batch job	Deny log on as a batch job

Use of these logon rights does not generate a Privilege Use event in the Windows security log but logons do generate event ID 528 or 540 (4624 post Win2003).

Changes to these logon rights assignments are logged by event IDs 621/4717 and 622/4718.

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

User Rights

•	Logon Rights
•	Admin Equivalent Rights
•	Tracking Rights
•	User Rights In-Depth

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.