Remove "DOMAIN\domain Users" and add "DOMAIN\username" to Allow Log on Locally

1

I created a batch file to remove "domain\Domain Users" from the Allow Log On Locally local security policy and replace it with "domain\username". This works. This is my script:

First, remove the unwanted group:

C:\ntrights.exe -r SeInteractiveLogonRight -u "domain\domain users"

Second, add the user:

C:\ntrights.exe +r SeInteractiveLogonRight -u "domain\username"

When I test by updating the machine's policy with the command "gpupdate /force", the Allow Log On Locally setting reverts back to default policy and the "domain\Domain users" entry comes back.

I want to remove the "domain\Domain users" entry and not have it return to the default policy, even if gpudpate /force is run.

I have Windows 7.

biiboy

Posted 2017-09-19T07:48:44.280

Reputation: 13

Answers

1

The computer is subject to a domain policy that is configuring the Allow Logon Locally user right. You need to prevent the computer from receiving this policy.

To determine which policy is changing this setting, use the Group Policy Results wizard in the Group Policy management console. It will identify any GPO that is configuring this setting. Your options include:

  1. Disable the policy
  2. Edit the policy's security settings to prevent your target computer from receiving it
  3. Use a WMI filter to exclude the target PC
  4. Move the computer object to an OU not affected by the policy
  5. Create another policy that sets your desired setting and configure it to have a higher precedence than the unwanted policy

I say Reinstate Monica

Posted 2017-09-19T07:48:44.280

Reputation: 21 477

I don't have priviledges to read/write policies. I was trying discuss with other team (system admistrator). They disagree with my idea. – biiboy – 2017-09-20T09:18:19.640

Then there is nothing you can do. What I've posted in my answer are the correct solutions. – I say Reinstate Monica – 2017-09-20T11:50:45.267

can I add in user configuration for 1 pc 1 login ? – biiboy – 2017-09-22T09:34:11.070

@biiboy I don't know what you're asking. – I say Reinstate Monica – 2017-09-22T12:28:37.023

Actually, I want to set Single Login. username A can not login on computer B. Username A can login only in computer A. etc. I have discussed with other team but they this agree with this. really need your advice – biiboy – 2017-09-29T02:47:03.090

@biiboy If the team that has control over the domain's security settings disagrees, there's nothing you can do about that. Like all good security settings, they're not able to be changed by those without access to do so. It sounds like you need keep working to convince that team. – I say Reinstate Monica – 2017-09-29T03:55:38.297

can I add this using registry key ? really need help. thanks a lot – biiboy – 2017-10-02T09:14:20.713

No you cannot. You must modify the user right through Group Policy. There are no alternate settings available for this. – I say Reinstate Monica – 2017-10-02T13:07:01.853

Thanks a lot Twisty. How about deny local logon ? Can I add some users on that ? I will enter their username one by one. When I test gpupdate /force, deny local logon unchanged. – biiboy – 2017-10-03T01:31:32.847

@biiboy That could work, though you'd have to enter every possible username, less the one you want to allow logon... – I say Reinstate Monica – 2017-10-03T01:49:21.803

0

Domain group policy will take precedence over local policy, your settings are rollback after Domain Group Policy applied. You need to contact corperate IT service team for help.

yanqian

Posted 2017-09-19T07:48:44.280

Reputation: 11

I don't have priviledges to read/write policies. I was trying discuss with other team (system admistrator). They disagree with my idea. – biiboy – 2017-09-20T09:18:24.770

Asked: 2017-09-19T07:48:44.280

Viewed: 714 times

Active: 2017-09-19T10:08:49.217