user rights assignment local account

Set and Check User Rights Assignment via Powershell

You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..

Posted by : blakedrumm on Jan 5, 2022

How to get it

Local Computer

Remote computer, output types.

This post was last updated on August 29th, 2022

I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

All of the User Rights that can be set:

Note You may edit line 437 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Remove User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Remove User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Remove User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Remove User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Check User Rights

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

Note You may edit line 467 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Get Local User Account Rights and output to text in console:

Get Remote SQL Server User Account Rights:

Get Local Machine and SQL Server User Account Rights:

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

Output to Text in ‘C:\Temp’:

PassThru object to allow manipulation / filtering:

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.

• operationsManager
• troubleshooting
• certificates

How to manage user account settings on Windows 11

Here are the steps to add, change, and remove accounts on Windows 11.

View account details

• Add more email accounts
• Change sign-in options
• Control account sync settings
• Connect to organization
• Add multiple accounts
• Delete accounts

On Windows 11 , the "Accounts" page in the Settings app allows you to review and customize many aspects of your account. You can determine the account type, switch from a Microsoft to a local account, change how you sign in, and enable many features to make the experience more secure and easier to use.

In addition, when you need to share a device with other people, you can create an account for each person so that each has a personal space they can customize, apps with their own profile, and a different area to store files.

Furthermore, if you must let a young person use a computer, you can also create a special child account type that provides parental control to monitor and protect them from content that may not be appropriate for their age.

This guide will teach you the steps to manage user accounts on your computer running the latest version of Windows 11.

How to view account details on Windows 11

On Windows 11, the "Your info" settings page includes details about your account, such as the type of account and the Microsoft account associated with the current profile. It also houses the settings to switch from a Microsoft to a local account or vice versa and the option to change the picture profile.

To view the account information on Windows 11, use these steps:

Get the Windows Central Newsletter

All the latest news, reviews, and guides for Windows and Xbox diehards.

• Open  Settings .
• Click on  Accounts .
• Click the  Your info  page on the right side.

• Confirm your account details, including account type (Administrator or Standard) and whether you have a local or Microsoft account. 

• Quick note:  If the page reads "Local account" under your name, there's a link to a Microsoft account. You have a Microsoft account configuration if your email address appears on this page.
• (Optional) Under the "Related settings" section, click the  "Accounts"  option to access the account online to change billing details, family and security settings, and other settings.

Once you complete the steps, the "Your info" page will give various pieces of information about the account.

In the "Accounts" section, you're also going to find the "Your Microsoft account" page, but it only includes details about your Microsoft 365 subscription.

Change to local account

If you have a Microsoft account and you prefer a local account, you can use these steps to switch:

• Under the "Account settings" section, click the  "Sign in with a local account instead"  option.

• Continue with the on-screen directions. 
• If you have a Microsoft account, click the  "Sign in with a local account instead"  option to switch to a local account.
• Continue with the on-screen directions.

After you complete the steps, the account will no longer be associated with a Microsoft account. 

You can also use the instructions outlined above to switch to a Microsoft account if you have a local account.

Change account picture

To change the account picture on Windows 11, use these steps:

• Click the  Browse files  button in the "Choose a file" setting. 

• Quick tip:  You can also use the  Camera  option to take a picture and set it as the new profile photo.
• Select a new image for the account.
• Click the  Choose Picture  button.

Once you complete the steps, the picture will apply to the account.

How to link additional emails to an account on Windows 11

You can also add other email accounts in advance, so you don't have to enter the information on other apps (such as Mail & Calendar) and services.

Add accounts for apps

To add additional email accounts on Windows 11, use these steps:

• Click the  Email & accounts  page on the right side.

• Under the "Accounts used by email, calendar, and contacts" section, click the  Add an account  button.

• Quick note:  If you want to add another Microsoft account, the system will list it under the "Accounts used by other apps" section.
• Select the service provider (such as Outlook, Google, or iCloud).

After you complete the steps, the accounts will be available to set up other apps and services.

Add accounts for work

To add work accounts for apps on Windows 11, use these steps:

• Under the "Accounts used by other apps" section, click the  "Add a Microsoft account"  or  "Add a work or school"  account.

• Select the correct service.

Once you complete the steps, the account will be added, giving you quick access to work applications, such as OneDrive for Business.

How to change sign-in options on Windows 11

Windows 11 also includes the "Sign-in options" page that includes the different ways you can customize the preferences to sign into your account. For example, on this page, you can configure Windows Hello, change your local account password, and enable other features like Dynamic lock.

Change account password

If you use Windows 11 with a Microsoft account, you can only change the password  online  by changing your Hotmail, Live, or Outlook password. You can change the password through the Sign-in options page if you have a local account.

To change the account password on Windows 11, use these steps:

• Click the  Sign-in options  page on the right side.
• Under the "Ways to sign in" section, click the  Password  setting.
• Click the  Change  button.

• Confirm the current password.
• Confirm the new password.

• Quick note:  You can't re-use a previous password. You must enter a new password.
• Click the  Next  button.
• Continue with the on-screen directions (if applicable).

After you complete the steps, you can sign out and sign back in to start using the new password.

Configure or change Windows Hello authentication

On Windows 11, you have multiple ways to configure Windows Hello. You can set up facial or fingerprint recognition if you have the hardware that supports the feature. You can use a physical security key (usually used in organizations). And the most common form of authentication is the PIN option since it doesn't require special hardware and is more secure than a traditional password.

Usually, Windows 11 will prompt you to create a PIN during the initial setup, but if you are still using a password, you can use these steps to set up a Windows Hello PIN:

• Under the "Ways to sign in" section, click the  PIN (Windows Hello)  setting.
• Click the  Set up button.

• Confirm your current password (if applicable).
• Click the  OK  button.
• Create a new numeric PIN that you will remember. 

• (Optional) Under the "Additional settings" section, turn on the  "For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device"  toggle switch.
• Quick note:  This feature will turn on Windows Hello for all authentications across Windows 11, so you are never asked for your account password.

Once you complete the steps, you can start using the PIN to sign in instead of a password.

Change current PIN

If you already have a PIN, you will only find the option to change or remove it.

To change the current account PIN, use these steps:

• Under the "Ways to sign in" section, click the  PIN (Windows Hello)  setting.
• Click the  Change PIN  button.

• Confirm the current PIN.
• Create a new PIN.
• Confirm the new PIN.

• (Optional) Under the "Additional settings" section, turn on the  "For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device"  toggle switch.

•   Quick note:  This feature will turn on Windows Hello for all authentications across Windows 11, so you are never asked for your account password. However, if enabled, you won't be able to remove the PIN.

After you complete the steps, the Windows Hello information will change to the new PIN.

Enable sign-in upon waking up

As part of the account settings, you can decide whether the system should prompt you for a password upon waking the device or after some time you have been away from your desk.

To require a sign-in after waking up or specific time period, use these steps:

• Under the "Additional settings" section, use the  "If you've been away, when should Windows require you to sign in again?"  setting to automatically select how long the system should wait before locking the account.

This setting replaces the "Require sign-in" option that lets you decide whether Windows 11 should ask you to sign in when the device wakes up from sleep mode. If you want to disable the option, select the  Never  option.

Enable Dynamic lock

"Dynamic lock" is a feature that locks your device when you step away from the room automatically. The feature uses proximity technology, meaning you'll need to connect a Bluetooth device like a phone or wearable before you can configure it. Once enabled, if you step away from the computer after 30 seconds, Windows 11 will lock the profile automatically.

To enable Dynamic lock, use these steps:

• Click on  Bluetooth & devices .
• Click on  Add device  button.

• Click on  Bluetooth .

• Turn on Bluetooth on the device you want to pair.
• Select the device from the list.

• Continue with the on-screen directions to complete the pairing.
• Click the  Sign-in options  page on the right side.
• Under the "Additional settings" section, click the  Dynamic lock  setting.
• Check the "Allow Windows to automatically lock the device when you're away"  option.

Once you complete the steps, you can step away from the desk with the Bluetooth device, and then after 30 seconds, when you return, the computer should be locked.

Stop restarting apps on startup

Some apps are able to restart automatically at startup if you don't close them before turning off the computer. If you don't like this behavior, you can disable the feature. 

To prevent apps from restarting at startup, use these steps:

• Under the "Additional settings" section, turn off the  "Automatically save my restartable apps and restart when I sign back in"  toggle switch. 

After you complete the steps, apps will no longer restart automatically on startup.

How to control account sync settings on Windows 11

On Windows 11, Microsoft is referring to the sync settings as the new "Windows Backup" feature. On this page, you can choose what folders are backed up in the cloud using OneDrive . You can decide whether the system should remember your apps so you can restore them on another installation. And you can control the settings you want to sync across devices associated with the same Microsoft account.

To control the sync settings on Windows 11, use the steps:

• Click the  Windows backup  page on the right side.

• Click the  Set up syncing  button for the "OneDrive folder syncing" setting.

• Select the folders (Desktop, Documents, or Pictures) to upload and back up on the cloud. (You must have enough space to enable this feature.)

• Click the  Start backup  button.
• (Optional) Turn on the  "Remember my apps"  toggle switch if you want the system to remember the Microsoft Store app on your computer so that you can restore them later on another computer. 
• Turn on the  "Remember my preferences"  toggle switch to allow your settings to sync across devices.
• Click the "Remember my preferences" setting.
• Check the settings you want to sync across devices, including passwords, language preferences, and other Windows settings.

Once you complete the steps, the settings and files will sync to the cloud and across devices, depending on your configuration.

How to connect account to an organization on Windows 11

The "Access work or school" page has the settings to connect to an organization to access shared resources, such as network resources, apps, and emails. If you are part of an organization, your network administrator will provide the information.

To connect a device to the network, use these steps:

• Click the  Access work or school  page on the right side.

• Click the Connect button.
• Confirm your work or school account. 

• Quick note:  You can also select the option to join an Azure Active Direction or local Active Directory domain from this page.

After you complete the steps, you will have access to the organization's resources as configured by the network administrator.

How to add multiple accounts on Windows 11

Although most computers are set up for single users, Windows 11 allows you to share the device with multiple people through the "Family & other people" page, which includes the settings to add, remove, and manage multiple user accounts.

Add family members 

On the page, under the "Your family" section, you can manage family members to allow each person to have their desktop, settings, apps, and a place to store files separately from everyone else.

You can have two family account types, including "Child" and "Adult," and each account type provides different features.

Create a child account

A  Child  account offers a controlled environment with features to keep young members safe while using apps, playing games, and browsing the internet. If you choose to create a child account, the person can use the device, personalize the desktop, work with apps, create files, and safely browse the web with Microsoft Edge. 

Also, when using this account type, the organizer can control their activities, enforce limits on apps and games, control screen time, and more using the Microsoft family dashboard online.

To create a child account on Windows 11, use these steps:

• Click the  Family & other users  page on the right side.

• Click the  Add account  in the "Add a family member" setting. 

• Confirm the email address of the young person you want to add.

• Quick note:  If the young person doesn't have an account, choose the "Create one for a child" option and continue with the on-screen directions.
• Click the Next button.
• Select the Member option.
• Click the Invite button.

• Open the invitation email in the child's account online.
• Click the Accept Invitation button.

• Click the Join now button.

• Sign out of the main account.
• Select the child account from the Lock screen.
• Sign in with the child's Microsoft account credentials.
• Click the Skip for now option (if applicable).
• Create a PIN for the account.

• Click the OK button.
• Continue with the on-screen directions to finish the setup.

Once you complete the steps, Windows 11 will create the account, and the user will be able to sign in immediately.

Create an adult account

When using the family settings, an adult account is the same as a traditional local account, but members can also control child accounts.

To add a new member to the family group on Windows 11, use these steps:

• Click the  Add account  in the "Add a family member" setting. 
• Confirm the family member's email address.

• Click the  Next  button.
• Select the  Organizer  option.
• Click the  Invite  button.

After you complete the steps, the account will be created, but the new member will need to accept the email invitation before they can use the device and manage parental control settings for child accounts.

Add non-family member 

On Windows 11, you can also create accounts for other people not necessarily part of your family. Using these settings, you can create a Microsoft or traditional local account. 

Create a Microsoft account

Using a Microsoft account is recommended because it's easier to configure, the user can choose to sync their settings across devices, and password recovery is straightforward.

To create a profile with a Microsoft account, use these steps:

• Under the "Other users" section, click the  Add account  button for the "Add other user" setting.

• Confirm the email address or phone number of the new user.

• Quick note: If the user doesn't have a Microsoft account, choose the "I don't have this person's sign-in information" option to create an account and continue with the on-screen directions.
• Click the  Finish  button.

Once you complete the steps, the person should be able to sign in and start using the device.

Create a local account

On Windows 11, you can still create a local account without needing a Microsoft account, also called an offline account.

To create a local account on Windows 11, use these steps:

• Click the  "I don't have this person's sign-in information"  option.
• Click the  "Add a user without a Microsoft account"  option.

• Confirm the username.
• Create a password for the account.
• Complete the security questions to enable the reset option if you forget the password.

After you complete the steps, the user can log in and start using the standard local account on your Windows 11 computer.

Furthermore, the "Family & other users" page also includes an option to  set up a kiosk account . This feature is usually reserved for network administrators to turn a computer into a digital sign or interactive display or turn it into a device that only runs a specific application.

Change account type

As standard user account is the recommended type for most users, but if you want to change the type to administrator .

To change a user account type on Windows 11, use these steps:

• Click the  Family & other users  page on the right side.
• Under the "Other users" section, select the account to update.
• Click the  Change account type  button.

• Select the  Administrator  account type.

Once you complete the steps, the new account type will dictate the user's access privileges.

How to delete account on Windows 11

On Windows 11, when you no longer need an account, you can delete the profile and data, but the steps can differ depending on the account type.

Remove family account

To delete a family member account on Windows 11, use these steps:

• Under the "Your family" section, click the "Manage family settings online" option.
• Sign in with your credentials (if applicable).

• Under the "Your family" section, click the (three-dotted) menu button in the right corner of the user account and select the  "Remove from family group"  option.
• Click the  Remove  button.

• Quick note: If you are trying to remove a child account, you may first need to choose the "Manage consent" option and remove the consent before you can remove the account from the family group.

Once you complete the steps, the account and files will be deleted from the computer.

Remove non-family account

To delete a local account on Windows 11, use these steps:

• Under the "Other users" section, select the user account and click the  Remove  button.

• Click the  "Delete account and data"  button.

After you complete the steps, the profile and files will be deleted from the device.

More resources

For more helpful articles, coverage, and answers to common questions about Windows 10 and Windows 11, visit the following resources:

• Windows 11 on Windows Central — All you need to know
• Windows 10 on Windows Central — All you need to know

Mauro Huculak is technical writer for WindowsCentral.com. His primary focus is to write comprehensive how-tos to help users get the most out of Windows 10 and its many related technologies. He has an IT background with professional certifications from Microsoft, Cisco, and CompTIA, and he's a recognized member of the Microsoft MVP community.

• 2 Why THIS Kickstarter-backed game is the must-play Xbox Game Pass title this month
• 3 From new Xbox games to AR glasses, here are my favorite things I saw at my very first GDC
• 4 How to turn down brightness on Windows 11
• 5 Microsoft News Roundup: Xbox takes over PlayStation Store, Fallout tops charts, and Microsoft's project Stargate

All about Microsoft Intune

Peter blogs about Microsoft Intune, Microsoft Intune Suite, Windows Autopilot, Configuration Manager and more

Restricting the local log on to specific users

This week is about restricting the local logon on Windows devices to specific users. Not because it is something particularly new, but simply because it is been an ask every now and then. Think about further locking down a kiosk device, for example. Restricting the local logon can be achieved by either only allowing specific users to log on, or by denying specific users to log on. In other words, whitelisting versus blacklisting. The allow-option is basically a whitelist and the deny-option is basically a blacklist. When looking at restricting the local logon, a whitelist is the easiest method to get quickly really restrictive, as only the users on the list are allowed to log on locally. Luckily, nowadays there is easy method for configuring such a whitelist with users that are allowed to log on locally on a Windows device. This post will provide some more details around that configuration, followed with the configuration steps. This post will end with showing the user experience.

Note : Keep in mind that this post is focussed on the local log on on Windows devices and not the remote log on.

Configuring the allow local log on setting

When looking at configuring the allow local log on configuration, the UserRights section in the Policy CSP is the place to look. That section contains many of the different policy settings of the User Rights Assignment Local Policies , including the Allow log on locally ( AllowLocalLogOn ) policy setting. That policy setting can be used to configure the users that are allowed to locally log on to the Windows device. Besides that, it’s also good to mention that with the latest Windows 11 Insider Preview Builds, this section of the Policy CSP, is getting more and more policy settings. Nearly all of the User Rights Assignment Local Policies are now available for configuration, including Logon as a service , Logon as a batch job , and many more. Maybe even better, all of these available policy settings – including the new policy settings that are currently still in preview – are now configurable via the Settings Catalog profile (as shown below in Figure 1).

After being familiar with the available policy settings and the configuration profile, the configuration of those policy settings is pretty straight forward. The following eight steps walk through the creation of a  Settings Catalog  profile that contains the required setting to configure the local logon, by using the Allow log on locally policy setting.

• Open the  Microsoft Intune admin center  portal and navigate to  Devices  >  Windows  >  Configuration profiles
• On the  Windows | Configuration profiles  blade, click  Create profile
• On the  Create a profile  blade, provide the following information and click  Create
• Platform : Select  Windows 10 and later  to create a profile for Windows 10 and Windows 11 devices
• Profile : Select  Settings catalog  to select the required setting from the catalog
• On the  Basics  page, provide the following information and click  Next
• Name : Provide a name for the profile to distinguish it from other similar profiles
• Description : (Optional) Provide a description for the profile to further differentiate profiles
• Platform : (Greyed out) Windows 10 and later
• On the  Configuration settings  page, as shown below in Figure 2, perform the following actions
• Select  User Rights  as category
• Select  Allow Local Log On  as setting
• Specify the required users and local groups – all on separate lines – and click  Next

• On the  Scope tags  page, configure the required scope tags and click  Next
• On the  Assignments  page, configure the assignment and click  Next
• On the  Review + create  page, verify the configuration and click  Create

Note : As these settings are now configurable via the Settings Catalog , that also takes away the challenges with multiple entries. No need to manually specify a delimiter, as Microsoft Intune takes care of that.

Experiencing the user rights configuration

After configuring the users that are allowed to log on locally to the Windows device, it’s pretty straight forward to experience the behavior. Simply try to log on to that device with a user account that is not allowed to log on locally. That will provide an experience as shown below in Figure 3. The user will receive the notification that the sign-in method is not allowed. Besides that, it’s also important to be familiar with the side effects of this configuration. The most important side effect is the impact on the self-service capabilities, like self-service PIN reset and self-service password reset. That’s simply because those capabilities rely on the temporary account defaultuser1 and that account won’t be able to log in, as only the specified users are allowed to locally log on to the Windows device. That experience is shown below in Figure 4. The user will either receive the status message of 0xc000015b , or will simply be switched back to the logon screen.

Note : The failed log on information is registered in the Security log in the Event Viewer with Event ID 4625 .

More information

For more information about the user rights configuration options, refer to the following docs.

• UserRights Policy CSP – Windows Client Management | Microsoft Learn
• Self-service password reset for Windows devices – Microsoft Entra | Microsoft Learn

25 thoughts on “Restricting the local log on to specific users”

I’d like to contribute to this.

This method does not inherently allow you to specify an EntraID group of users that you wish to deny local logon (at least it didnt use to) however i’ve found that if you use “account protection” policies populate the local group “Guests” with users from an EntraID group you can use the above stated policy to in effect acheive deny local logon for an EntraID group of users. (Via denying the local group “guests” as stated in your blog)

I use this in production, works well

Thank you for that suggestion, Temilit. Regards, Peter

I have not been able to replicate this. I followed inthecloud247’s blog post on this, but the only SID I was able to add to the Guests local group was the SID of an AAD directory role, and not one of an AAD security group.

Which version of Windows are you using? Regards, Peter

• Pingback: Microsoft Roadmap, messagecenter en blogs updates van 21-09-2023 - KbWorks

Can you use an AAD group here?

Not at this moment, Henrik. Regards, Peter

Is there currently a way to restrict interactive log in but allow elevation log in prompts? I would like to prevent Intune Admins from logging in locally but still allow elevation for installs/CMD.

Not sure you can achieve that with this policy, but I haven’t looked really deep in that use case yet. Regards, Peter

• Pingback: Intune Newsletter - 22nd September 2023 - Andrew Taylor
• Pingback: Enabling remote access for specific users on Azure AD joined devices – All about Microsoft Intune

Is there a way to specify an EntraID security group with this settings?

Hi Yoni, The last time I tried that was not possible yet. Regards, Peter

Is there a way sign in KioskUser0 automatically using User Rights?

Hi Mo, Can you provide some more details about what you’re trying to achieve? Regards, Peter

We have deployed Self-Deploy AutoPilot profile plus Kiosk Configuration Profile for single app and then assign to dynamic device group. The Self-Deploy AutoPilot process completes without any issues and Kiosk policy is applied to the device. However, the KioskUser0 should auto logging automatically after Self-Deploy AutoPilot process completes, but its not auto logging.

Any thought why KioskUser0 not auto logging automatically?

Hi Mo, That can be many things, but something I often see is the device lock configuration that is interfering. Regards, Peter

Hello Peter,

We have Azure AD Joined devices in our enviornment which are migrated from source tenant to target tenant as part of carve out project. Recently we observed that post autopilot build completition when user tried to sign in to device they were prompted error as Sign in method not allowed. However, if we tried to login to device with local admins then it allows.

Standard users not allowed to login, we do have AllowLocallyLogIn baseline policy deployed by security team but it contains Administrators and Users group both. Does on Azure AD joined devices this policy really gets validated when users trying to sign in with UPN ?

This issue is not for all users but 10% users are facing, as a workaround when we reimported hash of thier device again and reimaged device then sign in was allowed (bit strange).

Do you have any idea on this then please give some direction.

Hi Suraj, How did you migrate the devices from source tenant to the target tenant? Regards, Peter

I am seeing something similar for new devices. Again, not all, only a subset. quite often, the user can happily use the device for a period (a few days) then this occurs. LOgging onto the device locally, I am seeing the Allow Logon Locally being blank. very odd. This is using Windows 11 23H2

Hi Shaun, When that happens, do you see anything about (other) policies being applied and/or change? Regards, Peter

I tried to do the restriction as in your procedure, but I got the error 65000 in intune. Since then, it has been impossible to connect with ALL the accounts on the computer. Do you have a solution to go back?

Hi Simon, In that case, you should apply a counter policy with the default configuration. Regards, Peter

I’ve had a similar issue. What would the correct counter policy be to reset the default logon configuration or do you have an article that details that?

Hi Mike, Easiest is to check a different device an see what the default configuration is. Regards, Peter

Leave a Comment Cancel reply

Notify me of follow-up comments by email.

Notify me of new posts by email.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How do I set a local user a user rights assignment on an active directory GPO?

We have a process where I work, where any changes to active directory GPOs are performed on test servers, backed up and then the backups applied to the live AD.

I'm in the process of amending a GPO where I want to specifically add in a user rights assignment for a user account that'll exist locally on the member servers that the GPO will apply to.

I've tried adding the word BUILTIN to the front of that user, I've tried using migtables, I've tried creating the user on the domain (but that ends up as trying to apply the user rights to the domain user of that name if he exists..).

Not sure what to do, Googling comes up with a lot of results that don't tend to lead anywhere for this scenario (local, user, group, policy all very common terms together).

Any suggested way of doing this?

• windows-server-2003
• active-directory
• group-policy

• 1 You would do this by just typing the name in to the first popup of the add to user right assignment. Bulitin only work for the accounts and groups shipped with windows. –  Bernie White Nov 6, 2012 at 19:27

2 Answers 2

Perhaps, you can try the following:

• Create a separate group for the user locally.
• Create GPO and configure Restricted Groups in GPO to apply only to the local group created in step 1.

Description of Group Policy Restricted Groups

This is mentioned in the article if you follow the link:

Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups.

If you will be using the same local account name on each of the member servers, you can enter it like this in the GPO:

The .\ notation simply refers to the local computer when the setting in the GPO is applied. It is similar to entering domainName\accountName.

If you will be using a different account name on each of the member servers, then the solution will not be elegant. This approach would require you to either create a unique GPO for each member server's user rights assignments, or enter everything in one ugly (and less secure) GPO like this:

The best thing that you can do to begin with is to create domain service accounts instead of local accounts.

Hope this helps.

• 1 Domain controller came up with a message of "The following Accounts could not be validated when I tried to add .\localUserName to the user rights assignments, ended up using the solution below. Thanks for the help. –  daed Nov 12, 2012 at 11:14

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows-server-2003 active-directory group-policy users ..

• The Overflow Blog
• Why configuration is so complicated
• Is GenAI the next dot-com bubble?
• Featured on Meta
• New Focus Styles & Updated Styling for Button Groups
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network

Hot Network Questions

• How do parallel reflected rays meet to form image at infinity? If they never meet then how is image formed?
• Bridget Riley - Movement in Squares and Circles
• Is there a standard which requires a high voltage warning label on a PCB?
• How to list all vertex of a one-cycle graph in order (cw or ccw)?
• Braidings on Temperley-Lieb Category
• Is every complex linear algebraic group a differential Galois group?
• Can hotel booking companies make up any "original price" they want, or does the claimed original price have to be somehow grounded in reality?
• What governs our "perception?" about the platonic realm of sets?
• Using CC BY SA video with my own copyrighted music
• Filter non-inverting input of operation amplifiers or directly to GND?
• In simple words, how does UK's Conservative party manage to retain dominance?
• How many lands in total can be put into play with Map the Frontier?
• Vietnamese and Cantarell
• On the bounded derived category of sheaves with coherent cohomology
• PhD supervisor wants to assume my apartment lease and buy my improvements to the apartment when I move out
• Which female character in the MCU had the earliest comic book debut?
• Can a judge decide a case based on their own legal knowledge?
• Post-apocalyptic story - shaman learns Latin names for animals
• Why machine worlds?
• Looking for mid-1980's list of Science Fiction Landmark works
• How to answer pre screening question "do you have a car" if I currently don't but could get one?
• How to represent unitary evolution in Python?
• EC261 with multiple connections
• Why are all the Gaussian surfaces very long or infinite?

• NIST 800-53
• Common Controls Hub

Windows Server 2019 must have orphaned security identifiers (SIDs) removed from user rights.

Create a local user or administrator account in Windows

You can create a local user account (an offline account) for anyone who will frequently use your PC. The best option in most cases, though, is for everyone who uses your PC to have a Microsoft account . With a Microsoft account, you can access your apps, files, and Microsoft services across your devices.

If needed, the local user account can have administrator permissions; however, it's better to just create a local user account whenever possible.

Caution:  A user with an administrator account can access anything on the system, and any malware they encounter can use the administrator permissions to potentially infect or damage any files on the system. Only grant that level of access when absolutely necessary and to people you trust.

As you create an account, remember that choosing a password and keeping it safe are essential steps. Because we don’t know your password, if you forget it or lose it, we can't recover it for you.

Create a local user account

Select Start  >  Settings  > Accounts and then select  Family & other users. (In some versions of Windows you'll see  Other users .)

Next to Add other user , select Add account . 

Select I don't have this person's sign-in information , and on the next page, select Add a user without a Microsoft account .

Enter a user name, password, or password hint—or choose security questions—and then select Next .

Open Settings and create another account

Change a local user account to an administrator account

Select Start  >  Settings  > Accounts .

Under  Family & other users , select the account owner name (you should see "Local account" below the name), then select Change account type .

Note:  If you choose an account that shows an email address or doesn't say "Local account", then you're giving administrator permissions to a Microsoft account, not a local account.

Under Account type , select Administrator , and then select  OK .

Sign in with the new administrator account.

If you're using Windows 10, version 1803 and later, you can add security questions as you'll see in step 4 under Create a local user account . With answers to your security questions, you can reset your Windows 10 local account password. Not sure which version you have? You can check your version .

Select Start  >  Settings  > Accounts  and then select  Family & other users. (In some versions of Windows you'll see  Other users .)

Select Add someone else to this PC .

Under  Family & other users , select the account owner name (you should see "Local Account" below the name), then select Change account type .

Related topics

Microsoft account help

How to reset your Microsoft account password

Get help with Windows activation errors

Need more help?

Want more options.

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

Thank you for your feedback.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Policy CSP - UserRights

• 26 contributors

This CSP contains some settings that are under development and only applicable for Windows Insider Preview builds . These settings are subject to change and may have dependencies on other features or services in preview.

User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as Security Identifiers (SID) or strings. For more information, see Well-known SID structures .

Even though strings are supported for well-known accounts and groups, it's better to use SIDs, because strings are localized for different languages. Some user rights allow things like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork.

General example

Here's an example for setting the user right BackupFilesAndDirectories for Administrators and Authenticated Users groups.

Here are examples of data fields. The encoded 0xF000 is the standard delimiter/separator.

Grant a user right to Administrators group via SID:

Grant a user right to multiple groups (Administrators, Authenticated Users) via SID:

Grant a user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings:

Grant a user right to multiple groups (Authenticated Users, Administrators) via strings:

Empty input indicates that there are no users configured to have that user right:

If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag ( <![CDATA[...]]> ) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator.

&#xF000; is the entity encoding of 0xF000 .

For example, the following syntax grants user rights to Authenticated Users and Replicator user groups:

For example, the following syntax grants user rights to two specific Microsoft Entra users from Contoso, user1 and user2:

For example, the following syntax grants user rights to a specific user or group, by using the SID of the account or group:

AccessCredentialManagerAsTrustedCaller

This user right is used by Credential Manager during Backup/Restore. No accounts should've this privilege, as it's only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities.

Description framework properties :

Group policy mapping :

AccessFromNetwork

This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services aren't affected by this user right.

Remote Desktop Services was called Terminal Services in previous versions of Windows Server.

ActAsPartOfTheOperatingSystem

This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned.

Assigning this user right can be a security risk. Only assign this user right to trusted users.

AdjustMemoryQuotasForProcess

Adjust memory quotas for a process - This privilege determines who can change the maximum memory that can be consumed by a process. This privilege is useful for system tuning on a group or user basis.

AllowLocalLogOn

This user right determines which users can log on to the computer.

Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally ( https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.

AllowLogOnThroughRemoteDesktop

Allow log on through Remote Desktop Services - This policy setting determines which users or groups can access the sign-in screen of a remote device through a Remote Desktop Services connection.

BackupFilesAndDirectories

This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read.

Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users.

BypassTraverseChecking

This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege doesn't allow the user to list the contents of a directory, only to traverse directories.

ChangeSystemTime

This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.

When you configure user rights, it replaces existing users or groups that were previously assigned to those user rights. The system requires that the Local Service account (SID S-1-5-19 ) always has the ChangeSystemTime right. Always specify Local Service , in addition to any other accounts that you need to configure in this policy.

If you don't include the Local Service account, the request fails with the following error:

ChangeTimeZone

This user right determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computer's system time plus the time zone offset. System time itself is absolute and isn't affected by a change in the time zone.

CreateGlobalObjects

This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they don't have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption.

Assigning this user right can be a security risk. Assign this user right only to trusted users.

CreatePageFile

This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually doesn't need to be assigned to any users.

CreatePermanentSharedObjects

This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it isn't necessary to specifically assign it.

CreateSymbolicLinks

This user right determines if the user can create a symbolic link from the computer he is logged-on to.

This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them.

This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.

CreateToken

This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it's necessary, don't assign this user right to a user, group, or process other than Local System.

Assigning this user right can be a security risk. Don't assign this user right to any user, group, or process that you don't want to take over the system.

DebugPrograms

This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications don't need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components.

DenyAccessFromNetwork

This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.

DenyLocalLogOn

This security setting determines which service accounts are prevented from registering a process as a service.

This security setting doesn't apply to the System, Local Service, or Network Service accounts.

DenyLogOnAsBatchJob

This security setting determines which accounts are prevented from being able to log on as a batch job. This policy setting supersedes the Log on as a batch job policy setting if a user account is subject to both policies.

DenyLogOnAsService

Deny log on as a service -This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.

This security setting doesn't apply to the System, Local Service, or Network Service accounts. Default: None.

DenyRemoteDesktopServicesLogOn

This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.

EnableDelegation

This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that's granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that's trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account doesn't have the Account can't be delegated account control flag set.

Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.

GenerateSecurityAudits

This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled.

ImpersonateClient

Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they've created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.

By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they're started. In addition, a user can also impersonate an access token if any of the following conditions exist. 1) The access token that's being impersonated is for this user. 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. 3) The requested level is less than Impersonate, such as Anonymous or Identify. Because of these factors, users don't usually need this user right.

If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.

IncreaseProcessWorkingSet

Increase a process working set. This privilege determines which user accounts can increase or decrease the size of a process's working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process.

Increasing the working set size for a process decreases the amount of physical memory available to the rest of the system.

IncreaseSchedulingPriority

This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.

If you remove Window Manager\Window Manager Group from the Increase scheduling priority user right, certain applications and computers won't function correctly. In particular, the INK workspace doesn't function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 or later and that use the Intel GFX driver.

On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.

LoadUnloadDeviceDrivers

This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right doesn't apply to Plug and Play device drivers. It's recommended that you don't assign this privilege to other users.

This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).

LogOnAsBatchJob

This security setting allows a user to be logged-on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows. For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user.

LogOnAsService

This security setting allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built in right to log on as a service. Any service that runs under a separate user account must be assigned the right.

ManageAuditingAndSecurityLog

This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting doesn't allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.

ManageVolume

This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.

ModifyFirmwareEnvironment

This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.

This security setting doesn't affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.

ModifyObjectLabel

This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.

ProfileSingleProcess

This user right determines which users can use performance monitoring tools to monitor the performance of system processes.

ProfileSystemPerformance

This security setting determines which users can use performance monitoring tools to monitor the performance of system processes.

RemoteShutdown

This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.

ReplaceProcessLevelToken

This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler. For information about Task Scheduler, see Task Scheduler overview.

RestoreFilesAndDirectories

This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write.

Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.

ShutDownTheSystem

This security setting determines which users who are logged-on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service.

TakeOwnership

This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.

Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.

Related articles

Policy configuration service provider

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources