A Quick Tip To Modify Logon Rights On Multiple Computers

by [Published on 24 Sept. 2009 / Last Updated on 4 April 2009]

This article explains a simple command you can use to modify the "Log On Locally" rights on all the server remotely.

Log On Locally rights allows your users to log on locally on the server. By default, all the users in the Active Directory Forest are able to log on to any server except domain controllers. The Local Users Security Group is added to the "Allow Log On Locally" rights on local server and this security group contains the Domain Users security local group. If you have created a security group and want to allow only the members of this Security Group should be able to log on locally on specified servers then you must do it manually, using a Group Policy or using a script.

In this example, I have created a domain security group named: RDP Access and members of this security group should be able to log on locally on 100 servers out of 500 servers in my environment.

Steps:

  • Create a text file: Servers.txt
  • Copy all the 100 server names in this text file.
  • Run the following command:

For /F "Tokens=*" %a in (Servers.txt) Do Ntrights.exe -m \\%a -u "Domain_Name\RDP Access" +r SeInteractiveLogonRight

The above command will assign the Log On Locally rights to RDP Access which is a domain local security group on the servers mentioned in the Servers.txt file.

See Also


The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP, and was awarded Microsoft MVP in Directory Services. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles for various online communities. Nirmal can also be found contributing to PowerShell based Dynamic Packs for ADHealthProf.ITDynamicPacks.Net solutions.

Featured Links