Article ID: 186529
By default, the group called "Everyone" has the right to log on locally on a Terminal Server. This means that any user should be able to log on at the Terminal Server console. This is different from a normal Windows NT Server, where the default would be that only the administrator can log on locally. When clients connect to a Terminal Server, they are actually using the Terminal Server console. That is the reason for the different default right.
If you want to limit this right, create a group specifically for your Terminal Server Clients, and grant this group the right to log on locally. You can then remove the Everyone group, limiting console logon rights to the Client group and the administrator.
If a Client or a User at the Console Gets the ErrorLocal policy of this system does not permit you to log on interactively, so that user does not have the right to log on locally.
To grant or remove the right to log on locally:
NOTE: If you install a Terminal Server as a backup domain controller, and the current primary domain controller's policy is set so that users do not have the right to log on locally, then the new Terminal Server inherits that policy. The result will be that no clients can connect to the Terminal Server. If a Terminal Server is a domain controller, the entire domain MUST use have a policy allowing users to log on locally.
Article ID: 186529 - Last Review: June 22, 2014 - Revision: 4.0