Logon Locally User Rights on Windows 2000

Posted on 2001-06-26
Medium Priority
Last Modified: 2010-04-13
After I configure the domain controller security policies using MS Security Configuration and Analysis tool, noone can logon to the domain, the error message they got is "The local policy of this system does not permit you to logon interactively". As my understanding, it is regarding the user rights of logon locally. By reviewing the security settings, on the domain controller security policy, logon locally user right is assigned to administrators, terminal clinets, and ftp clients only. By adding everyone group to the list, the problem is solved. My question is assigning logon locally rights to everyone means anyone can go to the server console and logon from there? is it a security hole? As my experience with NT 4.0, logon locally right is only granted to administrators and ftp/www clients. Any idea about how this work in Windows 2000?

Thanks in advance.
Question by:robert100

Expert Comment

ID: 6229212
You should not set the 'logon locally' permissions for everyone. As you said they will be able to logon at the terminal. All you need to set is the 'Access this computer from a network' permissions for 'Everyone'

Author Comment

ID: 6229585
That was exactly what I originally did, but it didn't work.
By searching KB on MS site, this is what I found:


this article applies to SP1, that is what we have here, sp2 may solve that problem?

I really have no idea about this. With NT, it was fine to exclude any users except admin and ftp/www users.

What else should I do?
LVL 12

Expert Comment

ID: 6234681
-Put domain users back as having the 'logon locally' right in computer configuration.
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.


Author Comment

ID: 6260793
Yeah, thenks a lot. I tried that puting domain users there instead of everyone, but it doesn't prevent any users from loggin on to the server terminal!!! That is what we don't want, any idea?

Expert Comment

ID: 6904202
Add everyone to the 'Print Operators' group. That will give them the right to logon locally, but they will not be able to have their way with the server, only the print jobs.

It's the easiest way to give everyone access to the Domain Controller/Terminal Server, but still limit their control.


Expert Comment

ID: 8237118
Dear questionner/expert(s)

No comment has been added lately, so it's time to clean up this TA.
I'll leave a recommendation in the Cleanup topic area that this question is to be:

- PAQ'd and pts removed

Please leave any comments here within the next seven days.



Cleanup volunteer


Accepted Solution

modulo earned 0 total points
ID: 8280177
Finalized as proposed


Community Support Moderator
Experts Exchange

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Often times it's very very easy to extend a volume on a Linux instance in AWS, but impossible to shrink it. I wanted to contribute to the experts-exchange community a way of providing a procedure that works on an AWS instance. It can also be used on…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses
Course of the Month13 days, 12 hours left to enroll

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question