user rights assignment deny access to this computer from the network

  Windows OS Hub / Windows Server 2016 / Windows: Block Remote Network Access for Local User Accounts

Windows: Block Remote Network Access for Local User Accounts

Using local accounts (including the local administrator) to access another computer over network in Active Directory environments is not recommended on a number of reasons. The same local administrator username and password are often used on many computers, which can put multiple devices at risk if a single computer is compromised ( Pass-the-hash attack threat). Moreover, access to the network resources with local accounts is hard to personify and centrally monitor, because such events are not logged on AD domain controllers.

To mitigate the risk, administrators can rename the default local Windows Administrator account. To regularly change the local administrator password on all computers in the domain, you can use the MS LAPS tool ( Local Administrator Password Solution ). But these solutions won’t be able to solve the problem of restricting network access for all local user accounts, since there can be more than one local account on a computer.

You can restrict network access for local accounts using the Deny access to this computer from the network policy. But this policy requires to explicitly list all accounts that need to be denied network access to the computer. In Windows 8.1 and Windows Server 2012 R2, two new well-known security groups with new SIDs appeared. One includes all local users, and the second includes all local administrators.

Now, to restrict access for local accounts, you can use their common SIDs.

These groups are added to the user’s access token during logon to the computer under a local account.

To make sure that in Windows 10/Windows Server 2016 your local administrator account is assigned two new security groups ( NT AUTHORITY\Local account (SID S-1-5-113) and N T AUTHORITY\Local account and member of Administrators group (SID S-1-5-114) ), run the command:

Whoami /all

You can check if these security groups exist on your Windows device by SID using the following PowerShell script:

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-113") $objAccount = $objSID.Translate([System.Security.Principal.NTAccount]) $objAccount.Value

In order to block the remote network access under local user accounts containing these SIDs in the token, you can use the settings from the GPO section Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment .

Deny Remote Desktop (RDP) Access for Local Users and Administrators

The Deny log on through Remote Desktop Services policy allows you to specify users and groups that are explicitly denied to logon to a computer remotely via Remote Desktop. You can deny RDP access to the computer for local and domain accounts.

If you want to restrict RDP connections for local users only (including local administrators), open the local GPO editor gpedit.msc (if you want to apply these settings on computers in the Active Directory domain, use the domain Group Policy Editor – gpmc.msc ). Go to the GPO section User Rights Assignment and edit the Deny log on through Remote Desktop Services policy.

Add the built-in local security groups “Local account and member of Administrators group” and “Local account” to the policy. Update local Group Policy settings using the command: gpupdate /force .

Now, if you try to connect to your computer under local user via RDP, an error will appear:

Deny Access to Computer from the Network

You can deny network access to a computer under local credentials with the Deny access to this computer from the network policy.

Add the local groups “ Local account” and “ Local account and member of Administrators group” to the Deny access to this computer from the network policy. Also, you should always deny anonymous access and access under a guest account.

After applying the policy, you won’t be able to remotely connect to this computer over the network under any local Windows account. When trying to connect to a shared network folder or map a network drive from this computer under a local account, an error will appear:

When trying to establish a Remote Desktop connection under the local administrator account ( .\administrator ), an error message appears.

Deny Users to Sign in Locally to Windows 10

Using the Deny log on locally policy, you can also restrict interactive logins to the computer/server under local Windows accounts. Go to the GPO User Rights Assignment section, edit the Deny log on locally policy. Add the required local security group to it.

Now, if a user or administrator tries to logon to the computer under a local account, a message will appear.

Thus, you can deny network access under local Windows accounts to computers and domain-member servers, and increase the security of the corporate environment.

Zabbix Installation and Basic Configuration Guide

How to disable/change user account control with group policy, related reading, get started with docker on windows (wsl2) without..., how to hide or show the ‘safely remove..., enable hyper-v on windows 10/11 pro and home..., how to hide or show specific settings pages..., mount physical and network drives in wsl2 (windows....

Thanks for the good article

Great article. And how to allow .\administrator on a specific computer only?

You can exclude a user or group from Group Policy Object. To do this, find you GPO you want to apply an exception on in the Group Policy Management Console. Go to the Delegation tab -> Advanced -> Add -> Select a computer name to exclude -> Select “Deny” in the “Apply group policy” permission.

What if I want to allow only local administrator (i.e. RID-500 account) to logon over network and to deny logon over network to all other local (and local only) accounts ? There is no SID for “every local account but RID-500 admin” so I presume it is not an easy job to do.

Wonderful article. In order to block the remote network access under local user accounts containing these SIDs in the token, you can use the settings from the GPO section Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.

I am just a regular user who would like to stop the user that is logging onto my computer through windows 10 NT Authority Logon Special Logon then changing the group policy to establish an organization workgroup as administrator that takes my right to use my computer or change settings without administrator permission. I found that I am possibly being forced to use a virtual machine that has a virtual internet with a recreated web page of my online Brokerage account. recreating a persons bank account is not the same as a Brokerage account that is time intensive throughout the trading hours and imediatly noticeable that i am not logged into the real online account instantly changing values of my portfolio assets and available trading funds change as soon as a order is filled . For someone to create a virtual environment to access or control my use of my Portfolio would take twenty four hour a day monitoring especially during trading hours . I DO NOT KNOW HOW TO STOP THE USE OF THE NT AUTHORITY LOGON SPECIAL LOGON PRIVILEGE ASSUME SYSTEM OWNER THAT ALLOWS THE REMOTE USER TO CONTROL MY COMPUTER AS A AN ORGANIZATION DEVICE THAT TAKES MY RIGHT TO USE IT AWAY FROM ME. How do I IDENTIFY and STOP the remote USER that is HIGHJACKING and STEALING MY COMPUTER SYSTEM by accessing my computer through WINDOWS 10 NT AUTHORITY using LOGON SPECIAL LOGON PRIVILEGES TO ASSUME SYSTEM OWNER to change the Policies that allow that user to deny me the right to use a computer I paid for and own

Remotely managed and used as an organization device hosting service with an unknown numer of cients who can Hyper-V to create an endless number of Virtual Machines interconnected and used by the remote manager to create a Hive

Leave a Comment Cancel Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Current ye@r *

Leave this field empty

• IT Administration Forum
• PowerShell Forum
• Community Forum
• PowerShell Group
• Earning as 4sysops member
• Member Ranks
• Member Leaderboard – This Month
• Member Leaderboard – This Year
• Member Leaderboard – All-time
• Author Leaderboard – 30 Days
• Author Leaderboard – 365 Days
• Cloud Computing
• Write for 4sysops
• User rights assignment in Windows Server 2016

4sysops - The online community for SysAdmins and DevOps

Built-in local security principals and groups

Center for internet security, local policies/user rights assignment.

• Recent Posts

• Microsoft Remote Desktop for Mac not working after upgrade (errors 0x3000064 and 0x3000066) - Thu, Aug 15 2024
• UniGetUI (formerly WingetUI): GUI for winget, Chocolatey, and PowerShell Gallery - Wed, Jul 17 2024
• What is Microsoft Dev Home? - Wed, Jul 3 2024

Security policy settings are sets of rules that control various aspects of protection. They include account policies, local policies, user rights assignment, the Windows firewall, software restrictions, and so on. There are several ways to configure security policy settings. The most common are:

• Group policy objects (GPO) – Used in Active Directory domains to configure and regularly reapply security settings to multiple computers.
• Local security policy (secpol.msc) – Used to configure a single (local) computer. Note that this is a one-time action. If another administrator changes these settings, you will need to manually change them back to the required state.

As most organizations use an Active Directory domain, it is preferred to apply security settings via group policies. You should have at least three security baselines created and linked in your domain, based on the following machine types:

• Domain Controllers (DC)
• Member Servers (MS)
• User Workstations

Configuring user rights assignment via Goup Policy

If you have multiple versions of operating systems (OS) running on these machines, you should create separate baselines for each OS version, as some settings might not be available. This also enables stricter configuration for older systems, as they are usually less secure.

Security policies do not support generated group names

The following groups are used throughout this article:

• Administrators – Members of this group have full, unrestricted access to the computer. Even if you remove some privileges from the Administrators group, a skilled administrator can still bypass those settings and gain control of the system. Only add highly trusted people to this group.
• Authenticated Users – A special security principal that applies to any session that was authenticated using some account, such as a local or domain account.
• Local account and member of Administrators group – A pseudogroup available since Windows Server 2012 R2. It applies to any local account in the Administrators group and is used to mitigate pass-the-hash attacks (lateral movement).
• Remote Desktop Users – Members of this group can access the computer via Remote Desktop services (RDP).
• Guests – By default, this group has no permissions. I don't think there is any need to use the Guest account and group today.

The Center for Internet Security (CIS) is a well-known non-profit organization that focuses on cybersecurity. To improve your knowledge of cybersecurity, you can access their free materials:

• CIS Controls – A set of 20 basic and advanced cybersecurity actions (controls). Using these, you can stop the most common attacks.
• CIS Benchmarks – Guidelines with specific configuration steps and detailed explanations. CIS Benchmarks are available for various products such as Windows Server, SQL Server, Apple iOS, and many more.

Both can be downloaded in exchange for your email address. There's no need to worry—there will be no further email, unless you choose to receive them.

Many companies and institutions create their security baselines based on CIS. I recommend you read CIS Controls. It really helped me to understand the importance of various security actions and settings.

CIS Benchmarks example

User rights assignments are settings applied to the local device. They allow users to perform various system tasks, such as local logon, remote logon, accessing the server from network, shutting down the server, and so on. In this section, I will explain the most important settings and how they should be configured.

For each setting, the following format is used:

Name of the setting: Recommended value, or values

Access Credential Manager as a trusted caller: No one (empty value)

Access to the Credential Manager is granted during Winlogon only to the user who is logging on. Saved user credentials might be compromised if someone else has this privilege.

Access this computer from the network: Administrators, Authenticated Users

Required for users to connect to the computer and its resources, such as an SMB share, shared printers, COM+, etc. If you remove this user right on the DC, no one will be able to log on to the domain.

Note : On DCs, you should also add the “ENTERPRISE DOMAIN CONTROLLERS“ group.

Allow log on locally: Administrators

The default configuration includes the Users group, which allows a standard user to log on to the server console. Limit this privilege only to administrators.

Allow log on through Remote Desktop Services: Administrators, Remote Desktop Users

It's common practice that some applications are used via RDP sessions by standard users. This privilege is also frequently required for remote assistance offered by an organization's helpdesk. If a server is running Remote Desktop Services with the Connection Broker role, the Authenticated Users group must also be added to this privilege.

Note: On the DC, it is recommended to allow only administrators to connect via RDP.

Back up files and directories: Administrators

This is a sensitive privilege that allows a user to bypass NTFS permissions (only via an NTFS API interface, such as NTBACKUP). A malicious user could backup and restore data on a different computer, thereby gaining access to it.

Deny access to this computer from the network/Deny log on through Terminal Services: Local account and member of Administrators group, Guests

The default value is only Guests. You should add the second group to prevent pass-the-hash attacks, so if a local elevated user is compromised, it cannot be used to elevate privileges on any other network resource, or access it via RDP.

Force shutdown from a remote system/Shut down the system: Administrators

Only administrators should be able to shut down any server, to prevent denial-of-service (DoS) attacks.

Manage auditing and security log: Administrators

This is a sensitive privilege, as anyone with these rights can erase important evidence of unauthorized activity.

Note: If you are running MS Exchange, the “Exchange Servers” group must be added to DCs.

Restore files and directories: Administrators

Attackers with this privilege can overwrite data, or even executable files used by legitimate administrators, with versions that include malicious code.

Take ownership of files or other objects: Administrators

User having this privilege can take control (ownership) of any object, such as a file or folder, and expose sensitive data.

Deny log on as a batch job/Deny log on as a service/Deny log on locally: Guests

To increase security, you should include the Guests group in these three settings.

Debug programs/Profile single process/Profile system performance: Administrators

This setting allows a user to attach a debugger to a system or process, thereby accessing critical, sensitive data. It can be used by attackers to collect information about running critical processes, or which users are logged on.

Change the system time: Administrators, Local Service

Changes in system time might lead to DoS issues, such as unavailability to authenticate to the domain. The Local Service role is required for the Windows Time service, VMware Tools service, and others to synchronize system time with the DC or ESXi host.

Create a token object: No one (empty value)

Users with the ability to create or modify access tokens can elevate any currently logged on account, including their own.

Impersonate a client after authentication: Administrators, Local Service, Network Service, Service

An attacker with this privilege can create a service, trick a client into connecting to that service, and then impersonate that account.

Note: For servers running Internet Information Services (IIS), the "IIS_IUSRS" account must also be added.

Load and unload device drivers: Administrators

Malicious code can be installed that pretends to be a device driver. Administrators should only install drivers with a valid signature.

I hope this article helped you to understand why it is important to define a security baseline for your systems. Many of the settings are already configured properly following server deployment; however, if they are not controlled by a GPO, they can be manipulated by malicious users. Be careful to whom you grant administrator permissions.

• Windows Server security features and best practices
• Security options in Windows Server 2016: Accounts and UAC
• Security options in Windows Server 2016: Network security

IT Administration News

• Windows Server 2025 Insider Build 26280 has a new Sept. 15, 2025 expiration date – Neowin
• Microsoft confirms Windows 11 0xC1900101 update error in recent Canary builds – Neowin
• Elon Musk’s X could still face sanctions for training Grok on Europeans’ data | TechCrunch
• Understanding RAG: How to integrate generative AI LLMs with your business knowledge | ZDNET
• OpenAI co-founder’s Safe Superintelligence startup inhales $1B in funding

Read All IT Administration News

Join our IT community and read articles without ads!

Do you want to write for 4sysops? We are looking for new authors.

Recover data from corrupted BitLocker drives with repair-bde and key packages

How not to block AI crawlers: robots.txt, authentication, CAPTCHA

Determine effective password policy for AD users with PowerShell

Microsoft Purview AI Hub – Monitor and block AI applications

Send email notifications about expiring Active Directory passwords with a PowerShell script

Unifying endpoint management and security: An overview of ManageEngine Endpoint Central

New storage features in Windows Server 2025: NVMe-OF initiator, update for S2D, deduplication for ReFS

E-MailRelay: Free SMTP server for Windows

Receive critical Microsoft security alerts by email

Addressing OpenSSH vulnerabilities CVE-2024-6387 and CVE-2024-6409

Authenticator backup: Microsoft, Google, Amazon, Authy

Delegated Managed Service Accounts in Windows Server 2025

List groups in Linux

Install Let’s Encrypt certificates on Windows with Certbot and export as PFX

Create and remove group in Linux, add user, switch primary group

Audit and disable NTLMv1

Enable FIDO passkey authentication for IAM users in AWS

Enable Microsoft Entra ID passkey authentication

KeePassXC: A free cross-platform password manager for Windows, macOS and Linux

Configuring external authentication methods in Microsoft 365 with Microsoft Entra ID

Created a domain account to use as a service account and then tried to run powershell cmdlets against the active RDS management server.

Gave that account local admin access on the broker servers and then was able to get further.

Got the error “Access is denied” when trying to run the invoke-RDUserLogoff(with correct hostserver and unifiedsessionID values) to log off a session using that account.

Need to know what permissions should be granted to the account to provide ability to run this command and where like on the broker or the session host.

I can’t run the RD cmdlets on the RD broker to remove a user session without local administrator privileges on the broker and session host.

I need to know what user permissions are necessary to run these cmdlets as giving local admin is not desired.

Sir we are having user1 in server1. We want to collect logs of server1 from server2 using credentials of user1. Surprisingly even after entering the credentials of user1 in event viewer it is taking loggedin credentials of the user logged into server2.

Leave a reply Click here to cancel the reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Receive new post notifications

Subscribe to Newsletter

Follow 4sysops.

Please ask IT administration questions in the forums . Any other messages are welcome.

Log in with your credentials

or      Create an account

Forgot your details?

Create account.

Set and Check User Rights Assignment via Powershell

You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..

Posted by : blakedrumm on Jan 5, 2022

Local Computer

Remote computer, output types.

This post was last updated on August 29th, 2022

I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

How to get it.

All of the User Rights that can be set:

Note You may edit line 437 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Remove User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Remove User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Remove User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Remove User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Check User Rights

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

Note You may edit line 467 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Get Local User Account Rights and output to text in console:

Get Remote SQL Server User Account Rights:

Get Local Machine and SQL Server User Account Rights:

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

Output to Text in ‘C:\Temp’:

PassThru object to allow manipulation / filtering:

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.

• operationsManager
• troubleshooting
• certificates
• containerapps

Related Topics

• Cloud Services
• Hybrid Cloud
• Private Cloud
• Public Cloud

Recent in  Cloud

• Microsoft Windows
• Windows Server

Recent in  OS

• IT Operations
• Ops and More
• IT Sustainability
• IT Automation

Recent in  IT Mgmt

• Career Tips
• Certifications

Recent in  Career

• Cloud Storage
• High Speed Storage
• Data Backup
• Disaster Recovery
• Vulnerabilities & Threats
• Attacks & Breaches
• Regulatory Compliance
• Data Privacy
• Cloud Security
• Endpoint Security
• Identity Mgmt & Access Control

Recent in  Security

• Cloud Native
• Programming Languages
• No-Code/Low-Code
• Software Development Techniques

Recent in  Dev

• AI & Machine Learning
• Edge Computing

Recent in  DX

• High Performance Computing
• Containerization
• Server Virtualization

Recent in  Infrastructure

• Newsletters
• Industry Perspectives
• Business Resources
• Reports/Research
• Online Events
• Live Events
• White Papers
• Advertise With Us
• Networking & Security
• Operating Systems

Manually Granting the Access this computer from the network User Right Manually Granting the Access this computer from the network User Right

Learn how to edit a GPO's gpttmpl.inf file to solve a documented problem that causes administrative tools not to work.

May 26, 2003

In "Don't Shoot Yourself in the Foot with Group Policy Security Settings, Part 1," http://www.winnetmag.com, InstantDoc ID 21656, you warned that within Group Policy Objects (GPOs) that are applied to domain controllers (DCs), removing all users and groups from the Access this computer from the network user right or assigning all users the Deny access to this computer from the network user right can cause severe problems. Can I manually grant the Access this computer from the network right to users without using a GPO?

The problems associated with removing all users and groups from the Access this computer from the network user right or assigning all users the Deny access to this computer from the network user right include preventing administrators—even those who are logged on locally—from running administrative tools, such as DNS Manager and the Microsoft Management Console (MMC) Active Directory Users and Computers, Active Directory Domains and Trusts, Active Directory Sites and Services, and Group Policy snap-ins. However, Microsoft has documented a way to manually edit gpttmpl.inf, the file that maintains rights assignments in a GPO, to grant the Access this computer from the network right to users on the DC.

At a DC console, log on as a member of Domain Admins, open Windows Explorer, navigate to %winroot%SysvolSysvol Domainname Policies, and examine the subfolders. Each subfolder in the Policies folder corresponds to a GPO in your domain. However, the subfolder names don't correspond to the GPO names. Rather, each subfolder derives its name from the corresponding GPO's globally unique identifier (GUID)—a complex string that looks something like {31B2F340-016D-11D2-945F-00C04FB984F9}. Without being able to open the Active Directory Users and Computers snap-in, you can't easily obtain a GPO's GUID, so you'll need to do some detective work to determine the GUID of the GPO you're interested in. Within each GPO subfolder, you'll find gpttmpl.inf in MachineMicrosoftWindows NTSecEdit, as Figure 1 shows. You need to determine which subfolder corresponds to the GPO that restricts the Access this computer from the network right and edit that folder's gpttmpl.inf file. If you can't figure out the correct subfolder to edit, you can simply edit temporarily every GPO's gpttmpl.inf file.

Use Notepad to open the file, then look for a line that starts with SeNetworkLogonRight=. In this line, the GPO stores assignments for the Access this computer from the network right. Replace everything after the equals sign (=) with the string *S-1-1-0, which corresponds to the SID of the Everyone group. Then, look for a line that starts with SeDenyNetworkLogonRight=. The GPO stores assignments for the Deny access to this computer from the network right in this line. Delete everything after the equals sign on that line. (Policies that don't contain either of these lines are configured as Not defined in the GPO.) Save and close gpttmpl.inf.

Next, open the gpt.ini subfolder in the GPO's folder. You'll find a line that starts with Version=. Increment the number that follows the equals sign, then save and close the file.

Finally, run the command

from the command line to force the DC to reapply Group Policy and thus update the rights assignments. After you log off and log back on to the DC, you should be able to run the Active Directory Users and Computers snap-in and other tools that depend on the Access this computer from the network right. For more details, see the Microsoft articles "'Access This Computer from the Network' User Right Causes Tools Not to Work" (http://support.microsoft.com/?kbid=257346), "Using Secedit.exe to Force Group Policy to Be Applied Again" (http://support.microsoft.com/?kbid=227448), and "Replication Does Not Work After Upgrading to Windows 2000" (http://support.microsoft.com/?kbid=249261).

—Randy Franklin Smith

About the Author

ITPro Today

You May Also Like

Editor's Choice

Migrating From VMware: Guide to a Successful Transition

Developing Immersive HoloLens Apps (Download Your Free Guide)

Data Privacy Quick Reference Guide

ITPro Today 2024 IT Salary Survey Report

Featured How Tos

AI in 2024: Top Stories (So Far)

Microsoft in 2024: Top Stories (So Far)

Cybersecurity in 2024: Top Stories (So Far)

Top 10 PowerShell Tips and Tricks of 2024 (So Far)

Recent What Is

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Can't edit Local Security Policy

I'm trying to add users to the Access this computer from the network User Rights Assignment policy but the 'Add' button is disabled:

I'm connecting to the machine via RDP using the local Administrator account (not a domain user). I've also tried to do the same with a domain user that is in the Administrators group but the result is the same.

How can I add a user to this policy?

The machine is running Windows 7.

• remote-desktop
• administrator
• group-policy

• You need to be using a domain user in the Administrator user group –  Ramhound Commented Aug 27, 2015 at 12:38
• I am using it (the built-in account..), but I login via RDP. does it matter? –  etaiso Commented Aug 27, 2015 at 12:38
• Your not using one, you indicated your using the local Administrator account, you need to be using a user connected to the domain with Administrator permissions. –  Ramhound Commented Aug 27, 2015 at 12:44
• I also tried that . it's the same –  etaiso Commented Aug 27, 2015 at 12:46
• Update your question; If I had know that; I could have saved time responding. –  Ramhound Commented Aug 27, 2015 at 12:51

You cannot edit this User Rights Assignment policy because this setting is being managed by a domain-based Group Policy. In this case, the domain Group Policy setting has precedence and you are prevented from modifying the policy via Local Group Policy.

To modify this policy, either:

• Modify the policy in the applicable domain Group Policy Object.
• Prevent any domain-based GPOs from specifying this setting, then edit the computer's Local Group Policy.
• where can I find this policy in the GPO? –  marijnr Commented Jun 13, 2018 at 13:15
• 2 Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment –  I say Reinstate Monica Commented Jun 13, 2018 at 13:16

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows security remote-desktop administrator group-policy ..

• The Overflow Blog
• The hidden cost of speed
• The creator of Jenkins discusses CI/CD and balancing business with open source
• Featured on Meta
• Announcing a change to the data-dump process
• Bringing clarity to status tag usage on meta sites

Hot Network Questions

• Applying to faculty jobs in universities without a research group in your area
• Why are there both "was" and "wozu" in this sentence: "Auf jeden fall ist es mir vollkommen egal, was Sie denken, wozu Sie ein recht hätten!"?
• Visual assessment of scatterplots acceptable?
• Does Psalm 127:2 promote laidback attitude towards hard work?
• I'm a little embarrassed by the research of one of my recommenders
• How would you read this time change with the given note equivalence?
• Why does Jeff think that having a story at all seems gross?
• Do US universities invite faculty applicants from outside the US for an interview?
• How to clean a female disconnect connector
• What's the statistical historical precedence for generalisation beyond overfitting?
• What is this movie aircraft?
• Is there a non-semistable simple sheaf?
• I'm not quite sure I understand this daily puzzle on Lichess (9/6/24)
• Geometry nodes: spline random
• Can the planet Neptune be seen from Earth with binoculars?
• Confusion about time dilation
• Current in a circuit is 50% lower than predicted by Kirchhoff's law
• Direction of centripetal acceleration
• Help identifying a board-to-wire power connector
• How do I prove the amount of a flight delay in UK court?
• Manhattan distance
• Is the 2024 Ukrainian invasion of the Kursk region the first time since WW2 Russia was invaded?
• When has the SR-71 been used for civilian purposes?
• Approximations for a Fibonacci-Like Sequence

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Active Directory Admin Denied Access - Why?

Logged in as the domain admin of an Active Directory environment, I'm attempting to run this command to reboot a workstation:

I'm getting this error:

Why would the domain admin be denied access to execute this command?

• active-directory
• windows-server-2008-r2

• 1 IMO, this shouldn't happen! Can you check if the workstation is having group policy applied (check if domain admins is in the Administrators group), and the proper SMB settings. I once encountered this problem when SMB2 was disabled on a Windows 7 desktop, and had to manually enable through regedit! –  Am_I_Helpful Commented Apr 7, 2019 at 7:39
• 1 Is the problem specific to the shutdown command, or does it also fail if you try dir \\COMPUTER-NAME\c$ ? –  Harry Johnston Commented Apr 7, 2019 at 22:07
• 1 Another setting to check is "Access this computer from the network" under User Rights Assignment in the local security policy. Also the corresponding "Deny access to this computer from the network". –  Harry Johnston Commented Apr 7, 2019 at 22:09
• 1 The workstation might not be properly joined to the domain. I recommend logging into the workstation interactively using the local administrator account, double-checking that the computer is using the right computer name, and leaving and then re-joining the domain. –  Harry Johnston Commented Apr 7, 2019 at 23:54
• 1 ... the target account name problem can also occur in some scenarios involving multiple domains, e.g., if computer-name is in domain A but you're trying to connect to it from a machine in domain B and there is a computer object in domain B that is also named computer-name . –  Harry Johnston Commented Apr 7, 2019 at 23:56

The issue was caused by a DNS Host(A) record that got auto-created 4 years ago: where another computer (renamed since) use to have the same name as the current computer I was trying to remotely reboot. That old record pointed to a different IP address than what the current computer (with that same name) is currently using via a dhcp reservation.

Harry Johnston suggested this command:

That produce this error:

He also suggested pining "computer-name", which showed the wrong IP address!

So, I guess the shutdown command would not permit the reboot, because the computer that this old dns record pointed to was not the computer I was trying to reboot; the name in DNS did not match the name on the computer specified in the shutdown command. "Accessed denied", was all the shutdown command produced. Its too bad it wouldn't indicate WHY access was denied.

Anyway, after removing that old dns record, the remote reboot succeeded.

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged active-directory windows-server-2008-r2 ..

• The Overflow Blog
• The hidden cost of speed
• The creator of Jenkins discusses CI/CD and balancing business with open source
• Featured on Meta
• Announcing a change to the data-dump process
• Bringing clarity to status tag usage on meta sites

Hot Network Questions

• Remove an edge from the Hasse diagram of a finite lattice
• Can the planet Neptune be seen from Earth with binoculars?
• Can reinforcement learning rewards be a combination of current and new state?
• The question about the existence of an infinite non-trivial controversy
• Where is this railroad track as seen in Rocky II during the training montage?
• Breaker trips when plugging into wall outlet(receptacle) directly, but not when using extension
• Is my magic enough to keep a person without skin alive for a month?
• Visuallizing complex vectors?
• Why is this bolt's thread the way it is?
• What other crewed spacecraft returned uncrewed before Starliner Boe-CFT?
• How can I play MechWarrior 2?
• Visual assessment of scatterplots acceptable?
• SOT 23-6 SMD marking code GC1MGR
• Is the 2024 Ukrainian invasion of the Kursk region the first time since WW2 Russia was invaded?
• Sub-/superscript size difference between newtxmath and txfonts
• What is the optimal number of function evaluations?
• Nausea during high altitude cycling climbs
• Are others allowed to use my copyrighted figures in theses, without asking?
• Is "She played good" a grammatically correct sentence?
• Enumitem + color labels + multiline = bug?
• What does "dare not" mean in a literary context?
• What prevents random software installation popups from mis-interpreting our consents
• Do US universities invite faculty applicants from outside the US for an interview?
• Geometry nodes: spline random

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

User Rights Assignment

Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This reference topic for the IT professional provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in the Windows operating system.

User rights govern the methods by which a user can log on to a system. User rights are applied at the local computer level, and they allow users to perform tasks on a computer or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a computer and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item.

Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment , or on the local computer by using the Local Group Policy Editor (gpedit.msc).

For information about setting security policies, see How to Configure Security Policy Settings .

The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security.

Additional resources

• NIST 800-53
• Common Controls Hub

The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems.