This article explains how to deny logon and allow logon locally to Windows workstations.

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

One of the bigger challenges in some Active Directory environments is controlling who is allowed to log into workstations. By default, every user in AD automatically gets added to Domain Users. Domain Users is, once again by default, included in the local Users group on workstations when the workstations get added to AD. That means that unless you take action on either the user account or the computer configuration, any user account in your AD environment can log into any computer whether you want them to or not. If you’re in a smaller AD environment, this may not be a problem for you: you can go to the Account tab in Active Directory Users and Computers, click the “Log On To…” button and specify the computers the user is allowed to use.

Deny logon - ADUC Account tab Log On To

ADUC Account tab Log On To

However, in a larger environment, managing individual accounts can be very time consuming, especially if you have to manually specify computer names for every single user account that needs limited access. You can also run into other authentication problems using “Log On To…” if the account needs to access network resources.

The good news is that there is a Group Policy setting that works with every version of Windows that can be managed with Group Policy from Windows 2000 through Windows 8 that will solve this problem for you. These settings can be found in Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment.

Deny logon - Setting in Group Policy Editor

Deny logon - Setting in Group Policy Editor

Deny log on locally ^

The “Deny log on locally” specifies the users or groups that are not allowed to log into the local computer. This policy can be found in Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment > Deny log on locally.

Deny log on locally Properties

Deny log on locally Properties

In my example, I’ve created a special group just for user accounts that I don’t want logging into an OU of computers. However, you can use any AD group here. Just avoid default AD groups like Domain Users or any of the Admin groups if you don’t want to get locked out.

Allow log on locally ^

The “Allow log on locally” setting specifies the users or groups that are allowed to log into the local computer. This policy can be found in Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment > Allow log on locally.

Allow log on locally Properties

Allow log on locally Properties

In my example, I’ve included the local workstation Administrators group, Domain Admins, and an AD group called “Allow Computer Logons.” With this configuration, only user accounts that are members of the local Admins group on the computer or one of the two AD groups are allowed to log in. Just as a reference, here is the default configuration for Windows 7:

Allow Log on locally Properties in Windows 7

Allow Log on locally Properties in Windows 7

If you happen to be a user that is not authorized to use a computer, here is the message the user will see on Windows XP:

The local policy of this system does not permit you to logon interactively

The local policy of this system does not permit you to logon interactively

And here is the error message they will see on Windows Vista or 7 (the message is the same for both except for the OS name):

You cannot log on because the logon method you are using is not allowed on this computer

You cannot log on because the logon method you are using is not allowed on this computer.

Tips ^

The Group Policy Management Console references Microsoft Knowledge Base article Q823659 for the Allow log on locally setting. Despite the old-style “Q” naming convention that is referenced, the article is fairly current and still applies to the newer versions of Windows. The KB article gives several examples of harmful configurations and a few more justifications for why you should consider using these two settings.

  • Here are a few things to keep in mind if you decide to implement these settings:
  • DO NOT apply them to Domain Controllers.
  • DO NOT put the settings into either of the default GPO’s for Default Domain Policy or Default Domain Controllers Policy.
  • Deny trumps allow. If a user is in both Allow log on locally and Deny log on locally, Deny always wins.
  • Be on the lookout for software that creates local service accounts that need to be included in Allow Log on Locally. For instance, VMware Workstation and VMware Player have functionality that will not work unless the service account they create is included in Allow Log on Locally.
  • Only apply these settings to sub-sets of computers and not the entire Domain.

Win the monthly 4sysops member prize for IT pros

Share
0

Related Posts

45 Comments
  1. Swordfish 3 years ago

    Hy Kyle, very useful article. Yesterday i setup Deny logon locally on server 2012 and i included domain users. Guess what? I cannot access anything! Can i do something to overwrite this setup? Restore doesn't work, nothing works..

    0

    • Kyle Beckman 3 years ago

      Deny logon should always be used very sparingly... as you've just found out. Remove the policy from applying from the server and wait... once the policy refreshes, you should be back in business. You may also still be able to log in as the local Administrator or as a Domain Admin that isn't a member of Domain Users.

      0

  2. Bruce Cannon 3 years ago

    Figure this thread is dead, but here goes anyway...

    Nice article, but does not help me w/ the Little Johnnie problem...
    We like our AD and do not want to make many changes. We have a thousand users and everyone is welcome to login wherever they need. Then there's Little Johnnie. He is our problem. We can not babysit him everywhere he goes, but there are a group of computers, in an OU named "Moderated Computers". We pay a baby sitter to watch these computers 24x7. I need to stop Little Johnnie from getting on any of our thousand computers, except for the one in the Moderated group. I do not want to prevent anyone else from using these. I want everything to stay the same, with the exception of restricting this one user. Now of course this is a made up example and I will use this in many places for many groups, but it explains best what I would like to accomplish. I do not want to create a user, then list the 64 computers that user can use, then create the next user and again tag him to 64 computers. I usually don't know the names of all the computes, but they exist in an OU.

    Ideas?

    Thanks. Looking forward to digging into your newer Office 365 policies.

    B

    0

    • Kyle Beckman 3 years ago

      You're right... this happens a lot where "little Johnnie" = an employee who likes to see if he can do stuff he shouldn't do. Not to knock the after hours staff, but I've seen this happen a lot at big companies where employees with access to offices/cubes after hours use company PC's they shouldn't be using instead of working. My first reaction is that this is an HR issue, not a technology issue. (Or, in my case since I've spent a lot of time in HigherEd, a Dean of Students or Security issue.) If there's a clear policy and this person is violating it, he/she should be dealt with under the provisions of the policy. If there isn't a policy, one should be made. Except you and I both know that at some point, your boss is going to tell you that if the computer wouldn't let them log in, they wouldn't be getting in trouble.

      This is where you could use "Deny log on locally" policy. The gotcha is that you're going to have to apply the Deny log on locally globally to just about all the computers EXCEPT the moderated group of systems. We do this with all our systems since our IAM system doesn't always pull employees out fast enough while HR processes paperwork. We can drop them into our "Deny_Logon" AD group immediately that is listed in the "Deny log on locally" policy and the user account is locked out. Select systems don't have the policy applied in the event one of the 'denied' users needs to use a computer.

      0

  3. Ro 3 years ago

    Thanks for the great article Kyle!
    Here's a question for you: I'd like my domain admins to NOT be able to login to end-user machines on the floor.
    Will the Deny Log On Locally GPO do the trick?
    I just want to make sure I'm not blocking my domain admins from logging in to every machine and server out there...
    The idea behind it is simple: Last thing I need is my sysadmin forgetting his user logged on on one of the computers on the floor.

    Thanks so much!

    0

    • Author
      Kyle Beckman 3 years ago

      I hope you don't have user accounts that are members of Domain Admins logging into computers. Those accounts should only be used for logging into DC's and everything else should be delegated to other accounts with lesser permissions. If someone has planted a keylogger on one of those PC's, you've just given away Domain Admin on your network.

      In theory, you could use this to block them from logging into computers, but I wouldn't recommend doing that unless you test it heavily in a lab environment and then only apply it to the computers... not the whole domain or servers.

      0

  4. Ro 3 years ago

    Thanks Kyle!
    In that case, what would you recommend on doing in order to prevent the domain admin users from being able to do user-level tasks such as logging into desktops?

    0

    • Author
      Kyle Beckman 3 years ago

      Pop them on the hand with a ruler when you catch them doing it? 🙂 (HR probably won't approve that method!) First off, limit your exposure by removing people from Domain Admins that don't need it. Second, if some people just don't get the memo, you can remove Domain Admins from the local Administrator group so they won't get Admin when they log in. Just remember that you'll have to put another group in the local Admins along with any service accounts for things like SCCM. And, if they have Domain Admin, they can put themselves in the group that can log in as an Admin.

      0

  5. Ro 3 years ago

    Good deal mate! thank you!!!

    0

  6. Wasim 3 years ago

    At one of the new client, I was going through Default Domain Policy and came across this "Allow Logon Locally" which was defined with "Administrators, Domain Admins, and Users" as the members.
    Normally in a given AD structure, I believe this settings in set to "Not defined"

    If am correct, default domain policy will apply to all computer accounts except domain controller.
    Can you suggest if this is acceptable?

    0

    • Author
      Kyle Beckman 3 years ago

      You're correct, this policy defaults to no defined... and should default to that. That said, under no circumstances would I put this policy into Default Domain Policy. You're just asking for trouble by making most changes there. This policy should be set in a sub-OU that contains computer objects. Your Default Domain Policy should be edited very sparingly... password policy, Kerberos settings, and CA root certs are just about all I'm ever comfortable putting there.

      0

  7. Bruce 3 years ago

    Hi Kyle.
    I'm new to managing servers, but I have a server 2012 r2 set up at home for my private network, and now we're going to add a MS SQL server as a VM for school. My question is; Can I use this method to restrict everybody but me to the new VM? (as I don't want other people seeing my private stuff)

    - Thanks in advance, Bruce.

    0

    • Author
      Kyle Beckman 3 years ago

      Absolutely, just remember that anyone with Domain Admin rights or with the ability to control the Group Policy on the OU where the Computer object is located can change the policy to all themselves to log in.

      0

  8. Ro 3 years ago

    Kyle,

    We are super frustrated here and figured we can use another brain.
    As we said before, we are trying to restrict domain admins from logging into staff's workstations. He came up with a deny local logon GPO but it also messed up the "Run As" so we can't install any software on their machines.
    Then we tried something else: putting our personal users (here at IT we have 2 accounts, one non-domain-admin account that we use for our daily stuff and 1 domain-admin account which we use for our IT stuff) in the local administrators group via GPO and then every time we want to install something we just login with that account and install it. The problem is that even if we do login with these accounts we are still unable to "run as" and get "permission elevation required" or something like that at the bottom of the "run as" window.
    What would you recommend doing?

    Thanks a million!

    Ro

    0

    • Author
      Kyle Beckman 3 years ago

      You'll always be frustrated if you try to solve what equates to an HR problem with technology. A user with an account in Domain Admins has been entrusted with a certain level of responsibility by having that level of access. If your admins can't be trusted to do the right thing with their Domain Admin credentials, you've got a way bigger problem. I've only used these policies for allowing/denying logons of standard users on workstations. I've always had a workstation Admin group and Domain Admins in the allow group. You may be better served by a privilege management solution that allows non-Admin users more self service options or for the help desk to assist a user without having to log in. It also sounds like your organization needs a written policy on the usage of Domain Admin credentials.

      0

  9. Ro 3 years ago

    Kyle,

    I think that I didn't explain myself properly: We have a bank audit which requires that my administrative account (as I said before, I have 1 administrative account and 1 regular account) will not be able to login to any staff computer but servers. They want me to be able use this user only for administrative tasks like server management.
    When I deny local login to my administrative user I am not able to use the "run as" with it. It's great that it wouldn't let me log in but it's not great that I cannot use the "run as" while I am logged with a staff's account because I do want to have the ability to install software or make administrative changes to the computer.
    Hopefully things are clearer for you now.
    What do you think?

    Ro

    0

    • Author
      Kyle Beckman 3 years ago

      Then your auditors don't know anything about AD or Windows. If you're a Domain Admin, the Group Policy means nothing because you can just go log into a DC and change the Group Policy. If you want to perform Administrative actions on the computers, you'll need an account that can log into the computer or you'll need to look into a 3rd party privilege management product.

      1+

  10. Deimler 2 years ago

    I locked myself from the server agter editing deny logon.
    Now i can access any user or administrator accounts. Please help.

    0

    • Author
      Kyle Beckman 2 years ago

      Remove the setting and reboot the server. That should get you back in as long as you didn't alter any other Group Policy that could be causing the problem.

      0

  11. Chris 2 years ago

    Ro,

    A best practice is to not be logging in with a domain admin account. This has nothing to do with trusting individual admins but rather limiting the scope of a compromise when, not if, an account is compromised. We have server admins and desktop admins and the accounts have been delegated permissions accordingly over the groups of resources they should be accessing (note that even out server admins are compartmentalized based on the type and risk of the systems they routinely need access to). The domain admin account is used only to make changes at the domain level, everything else is delegated permissions. It took us a while to setup and there are still some cases where domain access is required, but it's a lot less than what we had when we initially started. it also got the auditors off our back and made the security folks very happy.

    0

  12. Abdul Rasool 2 years ago

    Dear Kyle Beckman Sir,

    I have a computer lab in our Institute I'm using Server 2012 r2 and installed active directory in server.
    But recently some clients are not logging and this is shown on the logging screen (group policy client service failed the logon access is denied) so kindly tell me some instructions then I'll start work on that.

    I'll be very thankful to you.

    0

  13. vijay 2 years ago

    Hi, I want to deny permissions for interactive logon but still provide rights to do runas in cmd - is this possible.

    srv account - deny logon locally
    user a- allow logon but can not use runas to run command prompt as srv account

    0

    • Author
      Kyle Beckman 2 years ago

      I can see why you would want to do that, but I've honestly never tried to set it up before. I would just try it in a test/lab setup and see what happens.

      0

  14. murali 2 years ago

    am trainner ,am apply deny logon policy to all users including domain that way i can not access domain ,how to access the domain

    0

    • Author
      Kyle Beckman 2 years ago

      If you can log in, remove the policy and hopefully after a Group Policy refresh, things will right themselves. If you can't log in, you may have to restore from an authoritative backup or re-build if this domain is just for training. In the future, don't apply a policy like that to the entire domain or all users... as I suggested in the Tips section.

      0

  15. murali 2 years ago

    how to give policy,in server admin no one cannot login with out admin ?

    by using software deployment if can install an software is possible ?if it is possible how?

    i give an ip to windows7 system and attached to server but in that system server admin and local admin only logining remain users are not login how to set to users also login

    0

    • Author
      Kyle Beckman 2 years ago

      Look in the Event Logs. If a login is being blocked, you should have more information there. You can also run a gpresult /h on the system and start a new thread on the Forums.

      0

  16. Tim 2 years ago

    We need a couple of generic workstation users but want them to only be able to log into the workstations (Domain Users can as well). It wasn't that big of a deal to use the Log On To option on the user but of course we have over 64 workstations. Is my only option to put the workstations in sub OUs and disable inheritance? I'm not a fan of this solution as it means that any GPOs that get added higher up have to be remembered to be put in these OUs.

    0

    • Author
      Kyle Beckman 2 years ago

      You don't need to disable inheritance... Create the new sub-OU and link a new GPO there. The new GPO in the new sub-OU will apply at a higher inheritance level and overrule any other policy that is linked at a higher OU.

      0

  17. Tim 2 years ago

    Kyle, Thanks for your response. I'm feeling completely dense right now, but exactly which GPO and which objects (workstation computers or the workstation user account) would be in this sub-OU? Basically I'd want to restrict the user account to only be able to log into computers in those sub-OUs but everyone else would also still be able to log into them as needed. Thanks again for your help, I'm not sure why I'm having such a hard time wrapping my head around this.

    0

    • Author
      Kyle Beckman 2 years ago

      That is a Computer side policy, so it would need to apply to an OU that contains Workstations.

      0

  18. Mike Stanley 2 years ago

    Is it possible to modify the message that is displayed to users who are denied the right to logon? We're planning to implement this to deny logon rights to users who have not completed a required security survey, and would like to be able to make it clear to them why they're not able to logon.

    0

    • Author
      Kyle Beckman 2 years ago

      Unfortunately, no. You can't customize the error message.

      0

  19. y.srinath 2 years ago

    hi kyle,

    in my organization we are using static ip address and we have two active directory domains(one is for internet and other is for intranet )are there ,some employees know both domains user id and password.
    but the problem is now they are simply changing ip address in intranet systems and logging in internet
    domain and they using internet .these should not happen because our intranet systems having confidential data employees should not have any rights to transfer the data from intranet systems.
    how can i block the other active directory domain from one active directory domain?
    is it possible through deny log on locally?

    0

    • Author
      Kyle Beckman 2 years ago

      Deny log on locally controls whether a user can log on to the local system. I don't believe it would help with your situation. Feel free to post in the Forum about how to handle your issue and I (and some of the other 4sysops authors) can try to assist you.

      0

  20. y.srinath 2 years ago

    thank you kyle

    i don't have exact idea how to handle this issue. but i am thinking main problem is with static ip address.is it so ? can you suggest any ideas to handle this issue kyle .

    0

  21. Roger Jacobsen 2 years ago

    I played around with this and locked my self out by adding "users" to the "don't allow"-list. Why do I get locked out when my user name is not listed in the users-group? And is there a way to fix it?

    0

    • Author
      Kyle Beckman 2 years ago

      If you user account is a member of that group, you'll get locked out. Pull the policy and you should be able to log in again after a restart or Group Policy refresh.

      0

  22. w09wrw 1 year ago

    Hello Kyle et al.
    HigherEd situation.
    1000's of users/workstations on the domain.. broken down by department. Want to restrict users from departmentA such that they can only log into computers in departmentA.
    Suggestions on how to accomplish this?
    Workstations are prefixed by department and are members of "DepartmentA - Workstations" security group. Department A Users are also inherited to be members of security group "DepartmentA"

    0

  23. Richard Tan 1 year ago

    Hi Kyle,

    With server 2012, is there a way for to restrict user from using dropbox btw a set period of time?

    0

  24. Ahmad 6 months ago

    hi ,

    how i can add user to deny list on the domin using powershell or cmd

    please advice

    0

  25. yakir 6 months ago

    Great article.

    How could I block "Other User" logins where the user needs to enter user name and password  and only allow users who are local on the machine and can slect their tile and then enter p/w only?

    Target machines are Win 10.

    Thanks!

    0

  26. Duncan 4 months ago

    Good article. Here are a couple of suggestions in response to some of the comments.

    Scenario 1 - You want to prevent Domain Admins logging in to workstations and member servers.

    Use "Log On To" and list your Domain Controllers for each Domain Admin account. However this doesn't scale well if you have more than 10 Domain Controllers or 10 Domain Admins. Domain Admins can obviously undo this, but it's more about enforcing best practice on some of your most trusted IT staff.

    Scenario 2 - You want to restrict "Little Johnnie" to just a few computers.

    You could also use "Log On To". Alternatively put "Little Johnnie" in Domain Guests and remove them from Domain Users. Then put "Little Johnnie" in a group, and add that group to the local Users group of the computers you want them to have access to.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account