WinSecWiki > Security Settings > Local Policies > User Rights > Logon Rights

Logon Rights

10 of the privileges in this list are “logon rights” which control if and how accounts can logon to the system. There are five logon types in Windows. Here you will find an “allow” and “deny” right for each logon type making for a total of 10 logon rights. If a user ends up with both the allow and deny rights for a given logon type, deny overrides allow.

Logon Type Allow Deny
Interactive Allow log on locally Deny log on locally
Network Access this computer from the network Deny access to this computer from the network
Remote Interactive Allow log on through Terminal Services Deny log on through Terminal Services
Service Log on as a service Deny log on as a service
Batch Log on as a batch job Deny log on as a batch job


Use of these logon rights does not generate a Privilege Use event in the Windows security log but logons do generate event ID 528 or 540 (4624 post Win2003). 

Changes to these logon rights assignments are logged by event IDs 621/4717 and 622/4718.

Back to top

 

Upcoming Webinars
    Additional Resources