This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 45%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESE%3C/text%3E%3C/svg%3E)
We made multiple mistakes applying a deny logon locally policy which we had though was set to deny the local admin for each computer, but it ended up denying any group/user that was in the Administrators group not local admin. So we removed that part of the policy but even after gpupdate /force and restarts of workstations it was still being blocked. We then created a new policy that specifically denied login for a new test account and applied that. Once that was applied our admin accounts could login. To further confuse myself I have a test computer deny all policies and could login, applied our default policy and the test deny policy and could still login, denied the default policy and could still login, denied the test policy and could not login. Checked rsop.msc and it shows default policy is still applied even though my test machine is in delegation and set to deny the policy. I am assuming the default policy in some way is still either denying the logins, or when the original deny was set, the deny was set locally and when a new policy doesn't have a deny policy it reverts back to the original deny setting that the first policy set. We have a plan to restore the sysvol folder to recover the policy files before all this happened but wanted to post to see if anyone had any ideas. Is the allow logon locally set will it deny login for anything not listed in allow? Thanks and sorry if that is too much text to follow.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi
Is the allow logon locally set will it deny login for anything not listed in allow?
Yes I confirm . When you set allow logon locally GPO settings , only users and groups mentioned in the list in this setting can logon.
Please don’t forget to accept helpful answer
so if I set the allow log on locally back to not defined it should reset to default and allow users to login normally or is that setting not reset when the policy is no longer applied?
Yes , it should reset and back to the value applied through the local GPO.
Please don't forget to accept helpful answer
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello Stuart Earp,
Thank you for posting in Q&A forum.
If an account is restricted by both the Deny Local Login and Allow Local Login policies, the denial of local login takes precedence over allowing local login.
**
I assume there is no deny logon locally to the machine in the example below.
For example:**
If "Allow log on locally" is Not Configured, then it will apply the default settings:
Default:
On workstations and servers: Administrators, Backup Operators, Power Users, Users, and Guest.
On domain controllers: Account Operators, Administrators, Backup Operators, and Print Operators.
If we checked the option "Define these policy settings" about "Allow log on locally", and there is no user or group, then no user will allow log on locally.
If we checked the option "Define these policy settings" about "Allow log on locally", and there is one user below, then only this one user (lan) will allow log on locally.
I hope the information above is helpful. If you have any question or concern, please feel free to let us know.
If the Answer is helpful, please click "Accept Answer" and upvote it.
So i've denied the polices that apply allow and deny to local login and confirmed my admin account cannot log in. Looking at the local security policies the administrators group is listed as being allowed to login, which is a group that my admin account is part of. Any ideas on why I can't log in without a specific policy that adds a test account to the deny login?
I apprecaite everyone's input, but I still cannot log in unless I have a policy that denies a test account local login. I've checked the local security policy and it has reverted back to the "Guest, Administrators, Users, Backup Operators" for Allow Log on locally which my account is part of the administrators group. The deny log on is empty except for "Guest" Any other suggestions on what could be blocking the login?
@Stuart Earp •
Can you generate a GPO report on one of impacted machine and share with us the following settings: Deny Logon Locally Allow Logon Locally Deny and Allow through remote desktop Services.
Please don't forget to accept helpful answer
@Thameur-BOURBITA The screenshot in my comment above shows the settings on an affected machine does that work? It displays the deny and allow settings. The red scratch I put is just hiding our domain name and shows that it is getting policies that I have not set the machine to deny. If I run gpresult /h there are no settings defined
Did you check the local GPO ? To open local GPO on inpacted macine run this with local administrator account
gpedit.msc
Please don't forget to accept helpful answer
This setting can be configured thruogh Local security Policy.
Luanch secpol.msc with administrator account and remove this group from deny setting manually.
Please don't forget to accept helpful answer
@Thameur-BOURBITA thanks for the suggestions, but sadly checking gpedit.msc and secpol.msc are the same results for the allow and deny settings as my screenshot above. both are set their default
@Stuart Earp •
Did you try to remove this setting through gpedit.msc or secpol.msc ?
Please don't forget to accept helpful answer
@Stuart Earp •
You can apply this workaroud:
Please don't forget to accept helpful answer
@Thameur-BOURBITA we actually found the issue! My teammate added a group to the non interactive deny that had our domain admin group in that group. So after removing that group we were able to login. I really appreciate all your help with this, hope you have a great day!
@Stuart Earp •
Happy to hear that your issue is fixed.
Please don't forget to close this thread by accepting helpful answer