By default only the Account Operators, Administrators, Backup Operators, ENTERPRISE DOMAIN CONTROLLERS, Print Operators, and Server Operators are the groups, users of which are allowed to log on to the Active Directory domain controller locally.
In order to maintain the security and integrity of the entire domain and its infrastructure, it is strongly recommended that you should NOT allow the domain users to log on to the Active Directory domain controller interactively (locally).
However, for testing purposes, if you still want to allow a domain user or a particular group that contains the domain user accounts to interactively log on to the domain controller, this tutorial will help you through.
Here is how you can allow a particular Windows Server 2012 domain user to log on to the Active Directory domain controller interactively (locally):
In order to maintain the security and integrity of the entire domain and its infrastructure, it is strongly recommended that you should NOT allow the domain users to log on to the Active Directory domain controller interactively (locally).
However, for testing purposes, if you still want to allow a domain user or a particular group that contains the domain user accounts to interactively log on to the domain controller, this tutorial will help you through.
Here is how you can allow a particular Windows Server 2012 domain user to log on to the Active Directory domain controller interactively (locally):
- ■Log on to the Windows Server 2012 Active Directory domain controller with the Enterprise Admin for Domain Admin account.
■If not already started, initialize the Server Manager window by clicking its icon from the bottom left corner of the window in the taskbar.
■On the opened Server Manager window, from the top right corner, click Tools from the menu bar.
■On the displayed list, go to Group Policy Management.
■On the opened Group Policy Management console, from the left pane, expand Forest > Domains, and then expand the domain name. (MYDOMAIN.COM for this demonstration.).
■From the expanded tree, expand the Domain Controllers Organizational Unit, and right-click the Default Domain Controller Policy linked GPO.
■From the displayed context menu, click Edit.
■On the opened Group Policy Object Editor snap-in, from the left pane, under the Computer Configuration, locate and select Windows Settings > Security Settings > Local Policies > User Rights Assignment.
■Once the User Rights Assignment option is selected from the left pane, from the right pane, double-click the Allow log on locally option.
■On the opened Allow log on locally Properties box, click the Add User or Group button.
■On the opened Add User or Group box, click the Browse button.
■On the Select Users, Computers, Service Accounts, or Groups box, in the Enter the object names to select field, type the name of the user that you want to allow to log on to the Active Directory domain controller locally.
■Once done, click the Check Names button to verify the availability and correctness of the typed name.
■Click OK when the name is successfully verified. (When the name is successfully verified, it will have an underline, and will also have the corresponding FQDN displayed in the list.).
■Back on the Add user or Group box, click OK.
■Back on the Allow log on locally Properties box, click OK again to save the changes.
■Close the Group Policy Object Editor snap-in.
■Press the Windows + R keys simultaneously to initialize the Run command box.
■In the available field in the Run command box, type the GPUPDATE /FORCE command and press Enter key in order to update the group policy settings.
Facebook
Twitter
Instagram