How can I grant logon locally right to a single local user account on a 2003 member server in a domain ? The "Add user or group" is not active for that right I am assuming because it is being controlled by domain group policy and I can't see how to modify the policy for the right on one member server and one of its local users.

Hi Dave, I might be a little off course here, but by default, a local user already has the right to log on locally. No particular rights need to be specifically assigned to that user. It's worth mentioning that this does not allow the user to connect via RDP - this is a common misconception I find, so if you're trying to test the account via RDP, that's not going to work unless you also add the user to the local Remote Desktop Users group. The second sentence is what's confusing me a little. Are you expecting the new local user account to be able to modify the memberships of local users and groups, or is that a problem you're having when trying to set up a new local user? Keep in mind that the ability (or right) to log on locally doesn't implicitly mean that you can create users or modify memberships. Cheers, Lain

The user can logon thru RD but not sitting at the server because, I think, the default domain group policy overrides the local setting, even for local users. I see why you are confused about the add users comment. What I meant is when I logon as administrator locally or with the domain admin account, and access the local security settings, I am trying to add the one user to the list of users and groups who can "logon locally", the button to do this is greyed out (again, due to a group policy, I think). In other words, I am not adding a user, I am trying to add an existing user to the list of users who are allowed to "logon locally".

Okay, that makes sense, and yes, you'd be right in saying that's going to be coming from group policy. Whether it's domain level or local I couldn't say (even if it's most likely the former) - run rsop.msc to figure that out. Looking at the list of users shown in the Allow log on locally right, is the local "Users" right listed? Based on what you said, it sounds like the answer is no, but if it is, then you might want to check the "Deny logon on locally" right and see if any groups have been specified there that the user is a member of, as this would also prevent the user from logging on. If so, you might be able to work around the issue by removing them from any Deny groups, as opposed to adding them to the Allow right. Cheers, Lain

I did get the user local logon right by editing the default domain policy to add the user but I would really like to add that right to that user on one server only. I don't get into GP much but it seems to do this I have to create a new GP that only applies to one server and one user. Does that sound correct ?

That is correct. Domain policies override local policies so to achieve your goal you have to create a new gpo, link it to the OU containing the computer, enable Loopback Processing, and in the scope remove authenticated users and set the user account for which you need to apply the policy to. More on loopback processing: http://support.microsoft.com/kb/231287 http://technet.microsoft.com/en-us/library/cc757470(v=ws.10).aspx MCTS - Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. http://mariusene.wordpress.com/

Dave, you might want to go back a step and take the setting back out of the Default Domain Policy (assuming you haven't already done so), as if changing the policy at that level made a difference, there's a very good chance that the setting was originally specified in the local group policy since the only policies (by default) it would have overridden would have been local group policy and site-based group policy - and the latter isn't a likely spot to find such a setting. Once you've removed the setting, if you hop onto the server in question and open an elevated command prompt, do the following: Run the following to update the policy settings (which should remove the change made in Default Domain Policy): gpupdate /target:computer /forceRun: rsop.mscDrill down through Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights AssignmentDouble-click on "Allow log on locally" and inspect the Precedence tab This will tell you exactly which policy is responsible for the setting, and if it's Local Group Policy, simply launch gpedit.msc from that same command prompt, navigate back down to the setting and re-configure the groups accordingly. You won't need to configure a domain policy if this is the case. If it isn't the case, then refer to Marius' post above for handling the domain policy approach. Cheers, Lain

Thanks so much to everyone. The original reason I wanted to do this was because I had an old app which would not run using RD unless that user was put in the local administrators group which was not a good solution. So, I wanted to try it logged on locally to try it and see if it was an RD issue. The only way (other than make them an admin) was to change the policy to allow the user to CreateGlobalObjects. I know there are concerns about doing this but must be better than the admin approach. Thanks again all.