Can I "allow logon locally" for ALL local accounts and some domain accounts?

windows login active-directory group-policy user-permissions

Solution 1:

This is much simpler to achieve than I originally thought: all you need to do is to grant the "Allow log on locally" right to Local account.

Local account is a well-known security identifier (S-1-5-113) which is similar to a group, except that membership is implicit based on a rule: in this case, all local accounts are members.

If you also grant "Allow log on locally" to a local group that you create, you can use group policy with item-level targeting to add the domain users that should have logon access to that group.

So I suggest that you set your group policy to allow logon access to:

  • Administrators
  • Local account
  • Authorized domain users

Solution 2:

Those local accounts need to be able to log in, and they are not necessarily in any special, local group.

All local user accounts will always be in at least one of these two local groups:

  1. Administrators

  2. Users

So adding those two groups to the "Allow Log On Locally" user right will suffice to ensure that all local user accounts can log on locally.

Related

Deploy Xen
PXE boot fails to get IP address via DHCP, but DHCP works when OS booted
Can not see entries in Application Log in Event Viewer
Changing Timezone, Centos Apache server
Possible to redirect from HTTPS to HTTP behind load-balancer?
Windows Domain Controller Authentication Logon Logging and Forensics
Unable to join domain using samba tool net or realm/sssd
Server not responding to SSH and HTTP but ping works
Can duplicate MAC addresses on same LAN cause trouble?
Iptables rules with ! character
Monitor LSI 3ware raid controller on ESXi
Disable ICMP Unreachable replies