Error Message: The Local Policy of This System Does Not Permit You to Log on Interactively

When you add a group, such as, Domain Users, Everyone, or Authenticated Users, to the "Deny Logon Locally" user right, users that are members of those groups can no longer log on to certain computers. When a user tries to log on to the computer, the user may receive the following error message: The administrator of your system may find this behavior to be unexpected.

This behavior may occur because the user (such as, the administrator, who is a member of a group that has been explicitly granted the "Logon Locally" user right) may also be a member of the preceding groups. Any of the preceding groups may deny users access to the computer in which case a policy that sets the denial of user rights takes precedence over a policy that enables user rights.

To work around this behavior, you can access the computer that is denying a user access by means of an administrative account situated on another client. Then you can use the Ntrights.exe program from the Microsoft Windows 2000 Resource Kit to remove the user from the "Deny Logon Locally" user right.

To perform this procedure, use the following (case-sensitive) syntax:

This behavior is by design.

Most of the preceding problems occur when the Everyone group has been removed from the user right. You can use the Ntrights utility to add user rights.

For additional information about how to add a group back to the user right, click the article number below to view the article in the Microsoft Knowledge Base: