Logon rights

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Logon rights

The following table lists and describes logon rights.

Logon Right Description

Access this computer from a network

This user right determines which users and groups are allowed to connect to the computer over the network. Terminal Services are not affected by this user right.

Default:

  • On workstations and servers:

    • Administrators

    • Backup Operators

    • Power Users

    • Users

    • Everyone

  • On domain controllers:

    • Administrators

    • Authenticated Users

    • Everyone

Allow log on locally

This logon right determines which users can interactively log on to this computer. Logons initiated by pressing CTRL+ALT+DEL on the attached keyboard requires the user to have this logon right. Additionally this logon right may be required by some service or administrative applications that can log on users. If you define this policy for a user or group, you must also give the Administrators group this right.

Default:

  • On workstations and servers: Administrators, Backup Operators, Power Users, Users, and Guest.

  • On domain controllers: Account Operators, Administrators, Backup Operators, Print Operators, and Server Operators.

Allow log on through Terminal Services

This security setting determines which users or groups have permission to log on as a Terminal Services client.

Default:

  • On workstation and servers: Administrators, Remote Desktop Users.

  • On domain controllers: Administrators.

Deny access to this computer from network

This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.

Default: No one.

Deny log on as a batch job

This security setting determines which accounts are prevented from being able to log on as a batch job. This policy setting supersedes the Log on as a batch job policy setting if a user account is subject to both policies.

Default: None.

Deny logon as a service

This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.

Note

  • This security setting does not apply to the System, Local Service, or Network Service accounts.

Default: None.

Deny log on locally

This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.

Important

  • If you apply this security policy to the Everyone group, no one will be able to log on locally.

Default: None.

Deny log on through Terminal Services

This security setting determines which users and groups are prohibited from logging on as a Terminal Services client.

Default: None.

Log on as a batch job

This security setting allows a user to be logged on by means of a batch-queue facility.

For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user.

Note

  • In Windows 2000 Server, Windows 2000 Professional, Windows Server 2003 and Windows XP Professional, the Task Scheduler automatically grants this right as necessary.

Default: Local System.

Log on as a service

This security setting determines which service accounts can register a process as a service.

Default: None.

For more information, see Privileges and Security Configuration Manager tools.

Note

  • The default settings listed above are for Windows XP Professional and the Windows Server 2003 family.