Log On Locally rights allows your users to log on locally on the server. By default, all the users in the Active Directory Forest are able to log on to any server except domain controllers. The Local Users Security Group is added to the "Allow Log On Locally" rights on local server and this security group contains the Domain Users security local group. If you have created a security group and want to allow only the members of this Security Group should be able to log on locally on specified servers then you must do it manually, using a Group Policy or using a script.
In this example, I have created a domain security group named: RDP Access and members of this security group should be able to log on locally on 100 servers out of 500 servers in my environment.
- Create a text file: Servers.txt
- Copy all the 100 server names in this text file.
- Run the following command:
For /F "Tokens=*" %a in (Servers.txt) Do Ntrights.exe -m \\%a -u "Domain_Name\RDP Access" +r SeInteractiveLogonRight
The above command will assign the Log On Locally rights to RDP Access which is a domain local security group on the servers mentioned in the Servers.txt file.