Microsoft KB Archive/234237

From BetaArchive Wiki
Knowledge Base


Assign "Log On locally" Rights to Windows Domain Controller

Article ID: 234237

Article Last Modified on 2/27/2007


APPLIES TO

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Datacenter Server


This article was previously published under Q234237


SUMMARY

This article describes how to assign "Log on locally" rights for users and groups to Windows-based domain controllers.

MORE INFORMATION

By default, the account operators, administrators, backup operators, print operators, server operators, Internet guest account, and Terminal Services user account are assigned the right to log on locally to a Windows-based domain controller. You can use the Microsoft Management Console Group Policy Editor snap-in in your Windows-based computer to assign "Log on locally" user rights to other users and groups:

  1. Click Start, click Run, type mmc, and then press ENTER.
  2. Click Console, and then click Add/Remove Snap-in, click Add, and then double-click Group Policy snap-in.
  3. Click Browse for the group policy object, and then double-click the folder for your domain controller.
  4. Double-click Default Domain Controllers Policy, click Finish, click Close, and then click OK.
  5. Click Default Domain Controllers Policy, double-click the Computer Configuration branch to expand it, and then double-click the Windows Setting branch to expand it.
  6. Double-click the Security Settings branch to expand it, and then double-click the Local Policies branch to expand it.
  7. Double-click the User Rights Assignment branch to expand it, double-click the Log On Locally branch to expand it, and then click Add.
  8. Click the users or groups you want to add, click OK, and then click OK.
  9. Quit the Group Policy Editor snap-in by clicking Console, clicking Exit, and then clicking No.
  10. In order for the change to apply immediately, open a command prompt and type the following command:

    secedit /refreshpolicy machine_policy

    NOTE: If you want the policy to apply immediately to all domain controllers, run the command on each domain controller after successful replication has occurred.
  11. The command typed in step 10 will generate an Event ID 1704 in the Application log of Event Viewer. Confirm the presence of the event.

    NOTE: You do not have to save the console settings for the change to take effect. Active Directory replication must also occur between all domain controllers, and this could take up to 3 hours unless replication is forced.


Keywords: kbhowto kbnetwork KB234237



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/234237&oldid=372626
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki