How can I deny a local (non-domain) user the ability to log on without using group policy?

Question

I have a workstation, running Windows 8.1, that is joined to a domain.

I want to create a local (non-domain) user without the ability to log on interactively. I'd like to avoid Group Policy because the work I'm doing is just for testing - there is a production environment with a user that does not have logon privileges, and I want to make sure everything I'm doing will work for such a user.

I've tried to create an account and remove it from the Users and Administrators group, but I can still log in to the local console. I've also tried this code, running Revoke-UserRight -Account <AccountName> -Right SeInteractiveLogonRight, and while that succeeds, I'm still able to log in to the local console using that account.

Is such a thing possible?

score 0 · Answer 1 · answered Nov 01 '16 at 23:16

0

You can use local Group Policy to deny the right to log on locally to the local Users group. This will prevent any local or domain user accounts that are members of the local Users group from logging on locally.

Make sure that you have at least one enabled user account that is a member of the local Administrators group and that you know the password for this user account so that you don't lock yourself out.

answered Nov 01 '16 at 23:16

joeqwerty

108,377
6
80
171

Is local Group Policy the only way to accomplish this? I was hoping to avoid it if possible. – Micah R Ledbetter Nov 01 '16 at 23:57

How can I deny a local (non-domain) user the ability to log on without using group policy?

1 Answers1