Remove "DOMAIN\domain Users" and add "DOMAIN\username" to Allow Log on Locally

Question

I created a batch file to remove "domain\Domain Users" from the Allow Log On Locally local security policy and replace it with "domain\username". This works. This is my script:

First, remove the unwanted group:

C:\ntrights.exe -r SeInteractiveLogonRight -u "domain\domain users"

Second, add the user:

C:\ntrights.exe +r SeInteractiveLogonRight -u "domain\username"

When I test by updating the machine's policy with the command "gpupdate /force", the Allow Log On Locally setting reverts back to default policy and the "domain\Domain users" entry comes back.

I want to remove the "domain\Domain users" entry and not have it return to the default policy, even if gpudpate /force is run.

I have Windows 7.

I say Reinstate Monica · Accepted Answer · 2017-09-19T10:00:43.860

The computer is subject to a domain policy that is configuring the Allow Logon Locally user right. You need to prevent the computer from receiving this policy.

To determine which policy is changing this setting, use the Group Policy Results wizard in the Group Policy management console. It will identify any GPO that is configuring this setting. Your options include:

Disable the policy
Edit the policy's security settings to prevent your target computer from receiving it
Use a WMI filter to exclude the target PC
Move the computer object to an OU not affected by the policy
Create another policy that sets your desired setting and configure it to have a higher precedence than the unwanted policy

score 0 · Answer 2 · answered Sep 19 '17 at 09:45

0

Domain group policy will take precedence over local policy, your settings are rollback after Domain Group Policy applied. You need to contact corperate IT service team for help.

answered Sep 19 '17 at 09:45

yanqian

41
4

Remove "DOMAIN\domain Users" and add "DOMAIN\username" to Allow Log on Locally

2 Answers2