Which access right required to add or remove log on to Workstations

myquestforLearning 1 Reputation point

For restricting the end users, we are trying to use the Log on to button in User Account properties. We try to run the following command which fails

Set-ADUser -Identity <UserID> -LogonWorkstations <Hostname>

When we raised this with the vendor (who supports AD) they advised that a design change is required to grant this access.

Can a expert here verify which access rights are required so that a group of Users can get the access to add/remove computers to User account - Log on to tab?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,526 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Ilia Ershov 126 Reputation points

    You need to delegate Write/Read LogonWorkstation permissions in user account
    Remember tis attribute las 64 entries limit. You should use GPO and allow logon localy instead

  2. Fan Fan 15,276 Reputation points Microsoft Vendor

    To grant the users or groups the permission to change UserWorkstations attribute ,we should assign the Write/Read LogonWorkstation permissions.
    Right click the domain name or OU name (containing users need to be managed)
    Do a right click on your OU/container and then go to the properties
    Go to Security tab and then go to Advanced Security
    Click on Add..., specify the user name of the user/group that will be delegated the permission and then go to Properties tab, select Descendant User objects and then you will be able to find the permissions
    Also ,make sure that the following permission should also be selected (by default)

    Workstation Logon Restrictions for AD Users (Log On To), you can refer to the following link:

    Please note: The given technical support contact information belongs to a third party and may vary without notice. Microsoft does not guarantee the information accuracy.

    0 comments No comments