Logon Rights in Windows System

What is Logon Rights?

Logon rights is a way to control how user accounts are allowed access to the computer. In other words logon rights controls how user accounts can logon to the computer system. There are various means of access: may be keyboard, a network connection, or as a service or a batch job. In general there are 5 logon types in Windows.

1. Interactive
2. Network
3. Remote Interactive
4. Service
5. Batch

For each logon method, there exists a pair of logon rights: one to allow logging on to the computer and another to deny logging on to the computer. If a user ends up with both the allow and deny rights for a given logon type, deny overrides allow.

Logon Type	Allow	Deny
Interactive	Allow log on locally	Deny log on locally
Network	Access this computer from the network	Deny access to this computer from the network
Remote Interactive	Allow log on through Terminal Services	Deny log on through Terminal Services
Service	Log on as a service	Deny log on as a service
Batch	Log on as a batch job	Deny log on as a batch job

Changes to these logon rights assignments in Windows are logged by event IDs 4717 and 4718.

Case Example:

Lets suppose Bob wants all users except the members of the domains Sales to be able to log on locally at his computer. What he needs to do is: create a local group named "LocalLogonDenied" Next he configures his computer as below

• He assigns the log on locally user right to the Users group.
• He assigns the deny local logon user right to the LocalLogonDenied group.
• He makes the Sales group a member of the LocalLogonDenied group.

As stated above deny rights take precedence over allow rights, so members of the Sales group are denied the right to log on locally even though they are also members of the Users group, which is allowed to log on locally.

--------------------------------------------------------------------------------------------------------------------------

The key here is "Allow a set, and then deny a subset."

-------------------------------------------------------------------------------------------------------------------------- 

Reversing the order can be disastrous. For example, Bob might want to allow no one but himself to log on locally. If he allowed himself the right to log on locally and denied the Users group the right to log on locally, he would be unpleasantly surprised to find he had locked himself out of the computer. Bob, after all, is a member of the Users group, so the deny right he assigned to the Users group would take precedence over the allow right he assigned to himself.