Permit users to log on locally to a domain controller

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To permit users to log on locally to a domain controller

  1. Open Domain Controller Security Policy.

  2. In the console tree, click User Rights Assignment.


    • GroupPolicyObjectName [DomainControllerName] Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment
  3. In the details pane, double-click Allow log on locally.

  4. If this security setting has not yet been defined, select the Define these policy settings check box, and click Add User or Group.

  5. In Add user or group, specify the user or group who will be granted permission to log on locally, and then click OK twice.


  • To open Domain Controller Security Policy, click Start, click Control Panel, double-click Administrative Tools, and then double-click Domain Controller Security Policy.

  • You can also explicitly deny users or groups the permission to log on locally by configuring the "Deny log on locally" user right. For more information, see Related Topics.

  • Setting changes are applied every five minutes on a domain controller. Every 16 hours, there is a forced refresh on the settings, regardless of any changes.

  • User Rights are defined by default in the Default Domain Controller Group Policy object, which is associated with the Domain Controllers organizational unit. As a result, all domain controllers have the same User Rights policy.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also


Logon rights
Deny log on locally
Allow log on locally
User Rights Assignment