Local Policy Does Not Permit You to Log On Interactively

By default, the group called "Everyone" has the right to log on locally ona Terminal Server. This means that any user should be able to log on at theTerminal Server console. This is different from a normal Windows NT Server,where the default would be that only the administrator can log on locally.When clients connect to a Terminal Server, they are actually using theTerminal Server console. That is the reason for the different defaultright.
If you want to limit this right, create a group specifically for yourTerminal Server Clients, and grant this group the right to log on locally.You can then remove the Everyone group, limiting console logon rights tothe Client group and the administrator.

If a Client or a User at the Console Gets the Error

Local policy of this system does not permit you to log on interactively,so that user does not have the right to log on locally.

To grant or remove the right to log on locally:

  1. Start User Manager for Domains.
  2. Click Policies, then click User Rights.
  3. In the Rights field, select Log On Locally.
  4. In the Grant To field, select the users and/or groups you want to have this right.
NOTE: You will also see this error if you modify a user's configuration inUser Manager by de-selecting the Allow Logon to Terminal Server checkbox.

NOTE: If you install a Terminal Server as a backup domain controller, andthe current primary domain controller's policy is set so that users do nothave the right to log on locally, then the new Terminal Server inheritsthat policy. The result will be that no clients can connect to the TerminalServer. If a Terminal Server is a domain controller, the entire domain MUSTuse have a policy allowing users to log on locally.

Article ID: 186529 - Last Review: 06/22/2014 18:57:00 - Revision: 4.0

  • kbprb KB186529