Set and Check User Rights Assignment via Powershell

You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..

Posted by : blakedrumm on Jan 5, 2022

user rights assignment names

How to get it

:notebook:

Local Computer

Remote computer, output types.

This post was last updated on August 29th, 2022

I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

:arrow_left:

All of the User Rights that can be set:

Note You may edit line 437 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2
Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Check User Rights

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

UserAccountsRights

Note You may edit line 467 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Get Local User Account Rights and output to text in console:

Get Remote SQL Server User Account Rights:

Get Local Machine and SQL Server User Account Rights:

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

Output to Text in ‘C:\Temp’:

PassThru object to allow manipulation / filtering:

:v:

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the System Center Enterprise Management Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager products mostly, keep checking back for new posts. My goal is to post atleast once a month if possible.

  • operationsManager
  • troubleshooting
  • certificates

WinSecWiki  > Security Settings  > Local Policies  > User Rights

User Rights Assignments

Although in this section they are called user rights, these authority assignments are more commonly called privileges.

Privileges are computer level actions that you can assign to users or groups. For the sake of maintainability you should only assign privileges to groups not to individual users. Each computer has its own user rights assignments. In particular this means you should be cognizant of rights assignments on member servers which may easily differ from the rights assignments you find on your domain controllers. To centrally control user rights assignments on computers throughout your domain use group policy.

  • Logon rights
  • Admin equivalent rights
  • Tracking user rights with the security log
  • User rights in-depth
  • Access this computer from the network
  • Act as part of the operating system
  • Add workstations to domain
  • Adjust memory quotas for a process
  • Allow log on locally
  • Allow logon through Terminal Services
  • Back up files and directories
  • Bypass traverse checking
  • Change the system time
  • Create a pagefile
  • Create a token object
  • Create global objects
  • Create permanent shared objects
  • Debug programs
  • Deny access to this computer from the network
  • Deny logon as a batch job
  • Deny logon as a service
  • Deny logon locally
  • Deny logon through Terminal Services
  • Enable computer and user accounts to be trusted for delegation
  • Force shutdown from a remote system
  • Generate security audits
  • Impersonate a client after authentication
  • Increase scheduling priority
  • Load and unload device drivers
  • Lock pages in memory
  • Log on as a batch job
  • Log on as a service
  • Manage auditing and security log
  • Modify firmware environment values
  • Perform volume maintenance tasks
  • Profile single process
  • Profile system performance
  • Remove computer from docking station
  • Replace a process level token
  • Restore files and directories
  • Shut down the system
  • Synchronize directory service data
  • Take ownership of files and other objects

Child articles:

  • Logon Rights
  • Admin Equivalent Rights
  • Tracking User Rights with the Security Log
  • User Rights In-Depth

Back to top

user rights assignment names

All about Microsoft Intune

Peter blogs about Microsoft Intune, Microsoft Intune Suite, Windows Autopilot, Configuration Manager and more

user rights assignment names

Restricting the local log on to specific users

This week is about restricting the local logon on Windows devices to specific users. Not because it is something particularly new, but simply because it is been an ask every now and then. Think about further locking down a kiosk device, for example. Restricting the local logon can be achieved by either only allowing specific users to log on, or by denying specific users to log on. In other words, whitelisting versus blacklisting. The allow-option is basically a whitelist and the deny-option is basically a blacklist. When looking at restricting the local logon, a whitelist is the easiest method to get quickly really restrictive, as only the users on the list are allowed to log on locally. Luckily, nowadays there is easy method for configuring such a whitelist with users that are allowed to log on locally on a Windows device. This post will provide some more details around that configuration, followed with the configuration steps. This post will end with showing the user experience.

Note : Keep in mind that this post is focussed on the local log on on Windows devices and not the remote log on.

Configuring the allow local log on setting

When looking at configuring the allow local log on configuration, the UserRights section in the Policy CSP is the place to look. That section contains many of the different policy settings of the User Rights Assignment Local Policies , including the Allow log on locally ( AllowLocalLogOn ) policy setting. That policy setting can be used to configure the users that are allowed to locally log on to the Windows device. Besides that, it’s also good to mention that with the latest Windows 11 Insider Preview Builds, this section of the Policy CSP, is getting more and more policy settings. Nearly all of the User Rights Assignment Local Policies are now available for configuration, including Logon as a service , Logon as a batch job , and many more. Maybe even better, all of these available policy settings – including the new policy settings that are currently still in preview – are now configurable via the Settings Catalog profile (as shown below in Figure 1).

user rights assignment names

After being familiar with the available policy settings and the configuration profile, the configuration of those policy settings is pretty straight forward. The following eight steps walk through the creation of a  Settings Catalog  profile that contains the required setting to configure the local logon, by using the Allow log on locally policy setting.

  • Open the  Microsoft Intune admin center  portal and navigate to  Devices  >  Windows  >  Configuration profiles
  • On the  Windows | Configuration profiles  blade, click  Create profile
  • On the  Create a profile  blade, provide the following information and click  Create
  • Platform : Select  Windows 10 and later  to create a profile for Windows 10 and Windows 11 devices
  • Profile : Select  Settings catalog  to select the required setting from the catalog
  • On the  Basics  page, provide the following information and click  Next
  • Name : Provide a name for the profile to distinguish it from other similar profiles
  • Description : (Optional) Provide a description for the profile to further differentiate profiles
  • Platform : (Greyed out) Windows 10 and later
  • On the  Configuration settings  page, as shown below in Figure 2, perform the following actions
  • Select  User Rights  as category
  • Select  Allow Local Log On  as setting
  • Specify the required users and local groups – all on separate lines – and click  Next

user rights assignment names

  • On the  Scope tags  page, configure the required scope tags and click  Next
  • On the  Assignments  page, configure the assignment and click  Next
  • On the  Review + create  page, verify the configuration and click  Create

Note : As these settings are now configurable via the Settings Catalog , that also takes away the challenges with multiple entries. No need to manually specify a delimiter, as Microsoft Intune takes care of that.

Experiencing the user rights configuration

After configuring the users that are allowed to log on locally to the Windows device, it’s pretty straight forward to experience the behavior. Simply try to log on to that device with a user account that is not allowed to log on locally. That will provide an experience as shown below in Figure 3. The user will receive the notification that the sign-in method is not allowed. Besides that, it’s also important to be familiar with the side effects of this configuration. The most important side effect is the impact on the self-service capabilities, like self-service PIN reset and self-service password reset. That’s simply because those capabilities rely on the temporary account defaultuser1 and that account won’t be able to log in, as only the specified users are allowed to locally log on to the Windows device. That experience is shown below in Figure 4. The user will either receive the status message of 0xc000015b , or will simply be switched back to the logon screen.

user rights assignment names

Note : The failed log on information is registered in the Security log in the Event Viewer with Event ID 4625 .

More information

For more information about the user rights configuration options, refer to the following docs.

  • UserRights Policy CSP – Windows Client Management | Microsoft Learn
  • Self-service password reset for Windows devices – Microsoft Entra | Microsoft Learn

23 thoughts on “Restricting the local log on to specific users”

I’d like to contribute to this.

This method does not inherently allow you to specify an EntraID group of users that you wish to deny local logon (at least it didnt use to) however i’ve found that if you use “account protection” policies populate the local group “Guests” with users from an EntraID group you can use the above stated policy to in effect acheive deny local logon for an EntraID group of users. (Via denying the local group “guests” as stated in your blog)

I use this in production, works well

Thank you for that suggestion, Temilit. Regards, Peter

I have not been able to replicate this. I followed inthecloud247’s blog post on this, but the only SID I was able to add to the Guests local group was the SID of an AAD directory role, and not one of an AAD security group.

Which version of Windows are you using? Regards, Peter

  • Pingback: Microsoft Roadmap, messagecenter en blogs updates van 21-09-2023 - KbWorks

Can you use an AAD group here?

Not at this moment, Henrik. Regards, Peter

Is there currently a way to restrict interactive log in but allow elevation log in prompts? I would like to prevent Intune Admins from logging in locally but still allow elevation for installs/CMD.

Not sure you can achieve that with this policy, but I haven’t looked really deep in that use case yet. Regards, Peter

  • Pingback: Intune Newsletter - 22nd September 2023 - Andrew Taylor
  • Pingback: Enabling remote access for specific users on Azure AD joined devices – All about Microsoft Intune

Is there a way to specify an EntraID security group with this settings?

Hi Yoni, The last time I tried that was not possible yet. Regards, Peter

Is there a way sign in KioskUser0 automatically using User Rights?

Hi Mo, Can you provide some more details about what you’re trying to achieve? Regards, Peter

We have deployed Self-Deploy AutoPilot profile plus Kiosk Configuration Profile for single app and then assign to dynamic device group. The Self-Deploy AutoPilot process completes without any issues and Kiosk policy is applied to the device. However, the KioskUser0 should auto logging automatically after Self-Deploy AutoPilot process completes, but its not auto logging.

Any thought why KioskUser0 not auto logging automatically?

Hi Mo, That can be many things, but something I often see is the device lock configuration that is interfering. Regards, Peter

Hello Peter,

We have Azure AD Joined devices in our enviornment which are migrated from source tenant to target tenant as part of carve out project. Recently we observed that post autopilot build completition when user tried to sign in to device they were prompted error as Sign in method not allowed. However, if we tried to login to device with local admins then it allows.

Standard users not allowed to login, we do have AllowLocallyLogIn baseline policy deployed by security team but it contains Administrators and Users group both. Does on Azure AD joined devices this policy really gets validated when users trying to sign in with UPN ?

This issue is not for all users but 10% users are facing, as a workaround when we reimported hash of thier device again and reimaged device then sign in was allowed (bit strange).

Do you have any idea on this then please give some direction.

Hi Suraj, How did you migrate the devices from source tenant to the target tenant? Regards, Peter

I am seeing something similar for new devices. Again, not all, only a subset. quite often, the user can happily use the device for a period (a few days) then this occurs. LOgging onto the device locally, I am seeing the Allow Logon Locally being blank. very odd. This is using Windows 11 23H2

Hi Shaun, When that happens, do you see anything about (other) policies being applied and/or change? Regards, Peter

I tried to do the restriction as in your procedure, but I got the error 65000 in intune. Since then, it has been impossible to connect with ALL the accounts on the computer. Do you have a solution to go back?

Hi Simon, In that case, you should apply a counter policy with the default configuration. Regards, Peter

Leave a Comment Cancel reply

Notify me of follow-up comments by email.

Notify me of new posts by email.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How do I set a local user a user rights assignment on an active directory GPO?

We have a process where I work, where any changes to active directory GPOs are performed on test servers, backed up and then the backups applied to the live AD.

I'm in the process of amending a GPO where I want to specifically add in a user rights assignment for a user account that'll exist locally on the member servers that the GPO will apply to.

I've tried adding the word BUILTIN to the front of that user, I've tried using migtables, I've tried creating the user on the domain (but that ends up as trying to apply the user rights to the domain user of that name if he exists..).

Not sure what to do, Googling comes up with a lot of results that don't tend to lead anywhere for this scenario (local, user, group, policy all very common terms together).

Any suggested way of doing this?

  • windows-server-2003
  • active-directory
  • group-policy

daed's user avatar

  • 1 You would do this by just typing the name in to the first popup of the add to user right assignment. Bulitin only work for the accounts and groups shipped with windows. –  Bernie White Nov 6, 2012 at 19:27

2 Answers 2

Perhaps, you can try the following:

  • Create a separate group for the user locally.
  • Create GPO and configure Restricted Groups in GPO to apply only to the local group created in step 1.

Description of Group Policy Restricted Groups

This is mentioned in the article if you follow the link:

Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups.

Volodymyr Molodets's user avatar

If you will be using the same local account name on each of the member servers, you can enter it like this in the GPO:

The .\ notation simply refers to the local computer when the setting in the GPO is applied. It is similar to entering domainName\accountName.

If you will be using a different account name on each of the member servers, then the solution will not be elegant. This approach would require you to either create a unique GPO for each member server's user rights assignments, or enter everything in one ugly (and less secure) GPO like this:

The best thing that you can do to begin with is to create domain service accounts instead of local accounts.

Hope this helps.

Sam Erde's user avatar

  • 1 Domain controller came up with a message of "The following Accounts could not be validated when I tried to add .\localUserName to the user rights assignments, ended up using the solution below. Thanks for the help. –  daed Nov 12, 2012 at 11:14

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows-server-2003 active-directory group-policy users ..

  • The Overflow Blog
  • Who owns this tool? You need a software component catalog
  • Down the rabbit hole in the Stack Exchange network
  • Featured on Meta
  • Upcoming privacy updates: removal of the Activity data section and Google...
  • Changing how community leadership works on Stack Exchange: a proposal and...

Hot Network Questions

  • Lots of cell phone spamming after a trip to the US from Canada. Is this to be expected?
  • Pasta Bar for 250 people
  • Does mind-body dualism entail supernaturalism?
  • What leverage or negotiation tools do government agencies actually have to negotiate prescription drug prices directly with drug companies?
  • How do I write a sexist narrator without coming off as sexist myself?
  • Recording timing of keystrokes
  • Can "innate" magic exist without fostering elitism?
  • What is the the purpose of using paravirtualization if there is a hardware assisted virtualization?
  • Let f be an infinitely differentiable function such that f(1) = 0, f(5) = ln 4, f'(1) = 2 and f'(5) = −2. Using the given equation(below),Find f(x).
  • Which statistic to use for measurement between two samples
  • What's the source of John Adams's quote against the two-party system?
  • Hydrazine and liquid fluorine as a semi-cryogenic storable lunar space propellant
  • Can you cast a wall of force into water?
  • Is there a word for an object orbiting a brown dwarf?
  • Do you say "give a sociable compliment" when you mean you give a compliment as a way to socialize with people but it's not a true praise?
  • What happens when the runway is unusable at an isolated aerodrome?
  • When updating a package version, what should the license year be?
  • Effectiveness of Requiring Students to Repeat Proofs Presented in Class
  • If no push opcode, how does item still end up on stack (tx verification)
  • Is there any performance penalty to unsigned integer underflow?
  • Valid reason for not having plate armor in early medieval, low-magic fantasy setting?
  • Are Feroli (italy) and Olimp (Greece) legitimate brands of extra virgin olive oil?
  • A canal between two rivers
  • Snowflake won't allow an analytic function to be renamed

user rights assignment names

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Local Accounts

  • 22 contributors
  • Applies to: ✅ Windows 11 , ✅ Windows 10 , ✅ Windows Server 2022 , ✅ Windows Server 2019 , ✅ Windows Server 2016

This article describes the default local user accounts for Windows operating systems, and how to manage the built-in accounts.

About local user accounts

Local user accounts are defined locally on a device, and can be assigned rights and permissions on the device only. Local user accounts are security principals that are used to secure and manage access to the resources on a device, for services or users.

Default local user accounts

The default local user accounts are built-in accounts that are created automatically when the operating system is installed. The default local user accounts can't be removed or deleted and don't provide access to network resources.

Default local user accounts are used to manage access to the local device's resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC). Computer Management is a collection of administrative tools that you can use to manage a local or remote device.

Default local user accounts are described in the following sections. Expand each section for more information.

Administrator

The default local Administrator account is a user account for system administration. Every computer has an Administrator account (SID S-1-5- domain -500, display name Administrator). The Administrator account is the first account that is created during the Windows installation.

The Administrator account has full control of the files, directories, services, and other resources on the local device. The Administrator account can create other local users, assign user rights, and assign permissions. The Administrator account can take control of local resources at any time by changing the user rights and permissions.

The default Administrator account can't be deleted or locked out, but it can be renamed or disabled.

Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group.

Members of the Administrators groups can run apps with elevated permissions without using the Run as Administrator option. Fast User Switching is more secure than using runas or different-user elevation.

Account group membership

By default, the Administrator account is a member of the Administrators group. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group have Full Control permissions on the device.

The Administrator account can't be removed from the Administrators group.

Security considerations

Because the Administrator account is known to exist on many versions of the Windows operating system, it's a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer.

You can rename the Administrator account. However, a renamed Administrator account continues to use the same automatically assigned security identifier (SID), which can be discovered by malicious users. For more information about how to rename or disable a user account, see Disable or activate a local user account and Rename a local user account .

As a security best practice, use your local (non-Administrator) account to sign in and then use Run as administrator to accomplish tasks that require a higher level of rights than a standard user account. Don't use the Administrator account to sign in to your computer unless it's entirely necessary. For more information, see Run a program with administrative credentials .

Group Policy can be used to control the use of the local Administrators group automatically. For more information about Group Policy, see Group Policy Overview .

  • Blank passwords are not allowed
  • Even when the Administrator account is disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it's disabled.

The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account is disabled and has a blank password. Since the Guest account can provide anonymous access, it's considered a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is necessary.

Guest account group membership

By default, the Guest account is the only member of the default Guests group SID S-1-5-32-546 , which lets a user sign in to a device.

Guest account security considerations

When enabling the Guest account, only grant limited rights and permissions. For security reasons, the Guest account shouldn't be used over the network and made accessible to other computers.

In addition, the guest user in the Guest account shouldn't be able to view the event logs. After the Guest account is enabled, it's a best practice to monitor the Guest account frequently to ensure that other users can't use services and other resources. This includes resources that were unintentionally left available by a previous user.

HelpAssistant

The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.

HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it's initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user's invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.

HelpAssistant account security considerations

The SIDs that pertain to the default HelpAssistant account include:

  • SID: S-1-5-<domain>-13 , display name Terminal Server User . This group includes all users who sign in to a server with Remote Desktop Services enabled.
  • SID: S-1-5-<domain>-14 , display name Remote Interactive Logon . This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.

For the Windows Server operating system, Remote Assistance is an optional component that isn't installed by default. You must install Remote Assistance before it can be used.

For details about the HelpAssistant account attributes, see the following table.

HelpAssistant account attributes

Defaultaccount.

The DefaultAccount account, also known as the Default System Managed Account (DSMA), is a well-known user account type. DefaultAccount can be used to run processes that are either multi-user aware or user-agnostic.

The DSMA is disabled by default on the desktop editions and on the Server operating systems with the desktop experience.

The DSMA has a well-known RID of 503 . The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: S-1-5-21-\<ComputerIdentifier>-503 .

The DSMA is a member of the well-known group System Managed Accounts Group , which has a well-known SID of S-1-5-32-581 .

The DSMA alias can be granted access to resources during offline staging even before the account itself is created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM).

How Windows uses the DefaultAccount

From a permission perspective, the DefaultAccount is a standard user account. The DefaultAccount is needed to run multi-user-manifested-apps (MUMA apps). MUMA apps run all the time and react to users signing in and signing out of the devices. Unlike Windows Desktop where apps run in context of the user and get terminated when the user signs off, MUMA apps run by using the DSMA.

MUMA apps are functional in shared session SKUs such as Xbox. For example, Xbox shell is a MUMA app. Today, Xbox automatically signs in as Guest account and all apps run in this context. All the apps are multi-user-aware and respond to events fired by user manager. The apps run as the Guest account.

Similarly, Phone auto logs in as a DefApps account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account.

In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users. For this purpose, the system creates DSMA.

How the DefaultAccount is created on domain controllers

If the domain was created with domain controllers running Windows Server 2016, the DefaultAccount exists on all domain controllers in the domain. If the domain was created with domain controllers running an earlier version of Windows Server, the DefaultAccount is created after the PDC Emulator role is transferred to a domain controller that runs Windows Server 2016. The DefaultAccount is then replicated to all other domain controllers in the domain.

Recommendations for managing the Default Account (DSMA)

Microsoft doesn't recommend changing the default configuration, where the account is disabled. There's no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account.

Default local system accounts

The SYSTEM account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account's user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups.

On the other hand, the SYSTEM account does appear on an NTFS file system volume in File Manager in the Permissions portion of the Security menu. By default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Here the SYSTEM account has the same functional rights and permissions as the Administrator account.

To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them.

NETWORK SERVICE

The NETWORK SERVICE account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see NetworkService Account .

LOCAL SERVICE

The LOCAL SERVICE account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see LocalService Account .

How to manage local user accounts

The default local user accounts, and the local user accounts you create, are located in the Users folder. The Users folder is located in Local Users and Groups. For more information about creating and managing local user accounts, see Manage Local Users .

You can use Local Users and Groups to assign rights and permissions on only the local server to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a server, such as backing up files and folders or shutting down a server. An access permission is a rule that is associated with an object, usually a file, folder, or printer. It regulates which users can have access to an object on the server and in what manner.

You can't use Local Users and Groups on a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that aren't domain controllers on the network.

You use Active Directory Users and Computers to manage users and groups in Active Directory.

You can also manage local users by using NET.EXE USER and manage local groups by using NET.EXE LOCALGROUP, or by using various PowerShell cmdlets and other scripting technologies.

Restrict and protect local accounts with administrative rights

An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called lateral movement .

The simplest approach is to sign in to your computer with a standard user account, instead of using the Administrator account for tasks. For example, use a standard account to browse the Internet, send email, or use a word processor. When you want to perform administrative tasks such as installing a new program or changing a setting that affects other users, you don't have to switch to an Administrator account. You can use User Account Control (UAC) to prompt you for permission or an administrator password before performing the task, as described in the next section.

The other approaches that can be used to restrict and protect user accounts with administrative rights include:

Enforce local account restrictions for remote access

Deny network logon to all local administrator accounts, create unique passwords for local accounts with administrative rights.

Each of these approaches is described in the following sections.

These approaches do not apply if all administrative local accounts are disabled.

User Account Control (UAC) is a security feature that informs you when a program makes a change that requires administrative permissions. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change when UAC notifies you.

UAC makes it possible for an account with administrative rights to be treated as a standard user nonadministrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a nonadministrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the Run as command.

In addition, UAC can require administrators to specifically approve applications that make system-wide changes before those applications are granted permission to run, even in the administrator's user session.

For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it's issued a standard user token with no administrative rights, but without the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon can't access administrative shares such as C$, or ADMIN$, or perform any remote administration.

For more information about UAC, see User Account Control .

The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.

You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates.

To enforce local account restrictions for remote access

  • Start the Group Policy Management Console (GPMC)
  • In the console tree, expand < Forest >\Domains\< Domain >, and then Group Policy Objects where forest is the name of the forest, and domain is the name of the domain where you want to set the Group Policy Object (GPO)
  • In the console tree, right-click Group Policy Objects > New
  • In the New GPO dialog box, type < gpo_name >, and > OK where gpo_name is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer
  • In the details pane, right-click < gpo_name >, and > Edit
  • Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps:
  • Navigate to the Computer Configuration\Windows Settings\Security Settings\Local Policies\, and > Security Options
  • Double-click User Account Control: Run all administrators in Admin Approval Mode > Enabled > OK
  • Double-click User Account Control: Admin Approval Mode for the Built-in Administrator account > Enabled > OK
  • Ensure that the local account restrictions are applied to network interfaces by following these steps:
  • Navigate to Computer Configuration\Preferences and Windows Settings , and > Registry
  • Right-click Registry , and > New > Registry Item
  • In the New Registry Properties dialog box, on the General tab, change the setting in the Action box to Replace
  • Ensure that the Hive box is set to HKEY_LOCAL_MACHINE
  • Select ( … ), browse to the following location for Key Path > Select for: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • In the Value name area, type LocalAccountTokenFilterPolicy
  • In the Value type box, from the drop-down list, select REG_DWORD to change the value
  • In the Value data box, ensure that the value is set to 0
  • Verify this configuration, and > OK
  • Link the GPO to the first Workstations organizational unit (OU) by doing the following:
  • Navigate to the *Forest*\<Domains>\*Domain*\*OU* path
  • Right-click the Workstations > Link an existing GPO
  • Select the GPO that you created, and > OK
  • Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
  • Create links to all other OUs that contain workstations
  • Create links to all other OUs that contain servers

Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that stolen credentials for local accounts from a compromised operating system can't be used to compromise other computers that use the same credentials.

To perform this procedure, you must first identify the name of the local, default Administrator account, which might not be the default user name "Administrator", and any other accounts that are members of the local Administrators group.

The following table shows the Group Policy settings that are used to deny network logon for all local Administrator accounts.

To deny network logon to all local administrator accounts

  • In the console tree, expand < Forest >\Domains\< Domain >, and then Group Policy Objects , where forest is the name of the forest, and domain is the name of the domain where you want to set the Group Policy Object (GPO)
  • In the console tree, right-click Group Policy Objects , and > New
  • In the New GPO dialog box, type < gpo_name >, and then > OK where gpo_name is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer
  • Configure the user rights to deny network logons for administrative local accounts as follows:
  • Navigate to the Computer Configuration\Windows Settings\Security Settings\, and > User Rights Assignment
  • Double-click Deny access to this computer from the network
  • Select Add User or Group , type Local account and member of Administrators group , and > OK
  • Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows:
  • Navigate to Computer Configuration\Policies\Windows Settings and Local Policies, and then select User Rights Assignment
  • Double-click Deny log on through Remote Desktop Services
  • Link the GPO to the first Workstations OU as follows:
  • Navigate to the < Forest >\Domains\< Domain >\OU path
  • Right-click the Workstations OU, and > Link an existing GPO

You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers.

Passwords should be unique per individual account. While it's true for individual user accounts, many enterprises have identical passwords for common local accounts, such as the default Administrator account. This also occurs when the same passwords are used for local accounts during operating system deployments.

Passwords that are left unchanged or changed synchronously to keep them identical add a significant risk for organizations. Randomizing the passwords mitigates "pass-the-hash" attacks by using different passwords for local accounts, which hamper the ability of malicious users to use password hashes of those accounts to compromise other computers.

Passwords can be randomized by:

  • Purchasing and implementing an enterprise tool to accomplish this task. These tools are commonly referred to as "privileged password management" tools
  • Configuring Local Administrator Password Solution (LAPS) to accomplish this task
  • Creating and implementing a custom script or solution to randomize local account passwords

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

Tim’s Tech Blurbs

Tim’s tech ramblings about Intune, Modern Management, Powershell and every thing else.

How to move Windows 10 User Rights Assignment to Endpoint Manager / Intune

Should you change the default user rights assignments in Windows 10? That’s the question. If you ask my college the AD expert, he will tell you to run away and don’t even think about changing the defaults. (He will back it up with some pretty funny stories as well about who someone did it and locked out a company and maybe even a ship)

If you ask the Security team, the answer is a yes. We should set them.

Let taks a look. We will start at my favourite site. The Windows 2004 security baseline. MS recommend quite a few setting to be applied. When we add another baseline from the Security team we end up with the table below.

First things first. Let’s check the CSP and see what we need to do. To note, you can user the nice name for the account. (i.e Administrators). But we have ever lanuguage under the sun. So we need a better way to define the accounts. Lets check the Well know SID Structures for what we need.

Lets start with the local administrator. When you check for the SID, be sure to look for the BUILTIN groups and not the domain Groups. Looking at the table the SID is S-1-5-32-544.

Now we check the local account and we get S-1-5-113.

So Lets set up a polcy. Lets open Endpoint Mananger.

Goto Devices -> Configuration Profiles. Select Add new.

Select “Windows 10 and Later” and Custom in the profile

user rights assignment names

Let’s enter in a Logical name. “Windows 10 User Rights Assignment” and select Save.

user rights assignment names

Lets Start with “Load and unload device drivers.” Select Add on the next Page. Enter in the name for the setting. I am preceding the name with URA (for User Rights Assignment). In the OMA-URI after in ./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers The Data Type should be string. Andter in the desired SID for the setting. In this case it will be *S-1-5-32-544. (Add the * in before to distinguish its a SID) Pres Save.

user rights assignment names

Done. What’s next. Lets go “Access Credential Manager as a trusted caller”. According the baseline no one should have access to this. But how do we define it so no one can access it. Well don’t press save with a blank field. It will fail (I learn the hard way)

Add a new one and add in the name URA – Access Credential Manager as a trusted caller. Then for the OMA-URI enter in ./Device/Vendor/MSFT/Policy/Config/UserRights/AccessCredentialManagerAsTrustedCaller. Select String again. In the data field I have set the value as </>. If you leave it black you get an error when saving it. Its really annoying if you have added 20 on and then relies they have all failed.

user rights assignment names

Repeat until you have added them all in. Select Next, and then assign them to your test group. Sync your device, and reboot.

You should also do the testing on a test machine. Just in case you lock your self out.

How can you check the User rings assignments have worked? Lets ask Mark. He usually know these things.

Lets download AccessChk from here. https://docs.microsoft.com/en-gb/sysinternals/downloads/accesschk . It allows you to check various permissions fo r files register etc. We will use it with the -a to give us the Windows account right. Lets check SeSystemtimePrivilege or Change the System time. According to the baseline, only Admin and Local services should have this right. Lets run accesschk.exe -a SeSystemtimePrivilege

Great the values are as we expect. What about the checking all the permissions. Let’s run accesschk.exe -a * to show all the permissions.

Now all the rights look good. So lets plan to roll it out and hope we don’t become a funny storey for my college

' src=

Published by Tim Wood

Privacy overview.

UCF STIG Viewer Logo

  • NIST 800-53
  • Common Controls Hub

The Allow log on locally user right must only be assigned to the Administrators and Users groups.

Search code, repositories, users, issues, pull requests...

Provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

  • Notifications

Windows User Rights Assignment Utility

jcasale/UserRights

Folders and files, repository files navigation.

The UserRights.exe utility is an application for managing the User Rights Assignment security policy settings.

UserRights.exe is similar to ntrights.exe from the Windows 2003 Resource Kit utility, with additional functionality making it more flexible for use in automation.

Use Case - Automating User Rights Assignment on Windows Servers

Managing user rights assignment with group policies is not trivial. The interface only allows either exclusively specifying all the principals that will be granted the right, or leaving the user right unmanaged. That is the only reasonable approach, the grants will vary depending on the roles or applications that are installed. There may be virtual accounts (e.g., IIS application pool accounts with security identifiers matching S-1-5-82-*) or NT service accounts (e.g., MSSQL accounts with security identifiers matching S-1-5-80-*) that are granted privileges.

This requires the creation and maintenance of unique and highly specific group policies for each platform and software combination. For example, a typical approach for managing the SeServiceLogonRight right might resemble:

  • Create a new group policy object.
  • Ensure the mode is set to Update .
  • Ensure Delete all member users is enabled.
  • Ensure Delete all member groups is enabled.
  • Enable item level targeting, add an LDAP Query and configure it to pass only when the LDAP query does not return a value indicating the related directory group was not found (e.g., DOMAIN\allow-log-on-service-%ComputerName% ).
  • Configure a single member by adding the related directory group using the variable based convention (e.g., DOMAIN\allow-log-on-service-%ComputerName% ).
  • Enable item level targeting, add an LDAP Query and configure it to pass only when the LDAP query does return a value indicating the related directory group was found (e.g., DOMAIN\allow-log-on-service-%ComputerName% ).
  • Add any required local users.
  • Add any required local groups.
  • Add any required virtual accounts.
  • Add any required NT service accounts.
  • Add the new local group created above, allow-log-on-service .
  • Link the policy and configure the security and filtering as required.

When the policy executes, the %ComputerName% variable will be expanded and the applicable preference will create the local group, and the grants for the user right privilege will be overwritten. If the related directory security group is later provisioned, it will be added to the local group and the user rights will apply. While there is nothing wrong with this approach, it certainly is the most secure, but it has fairly high overhead.

An alternative approach without the local groups that uses UserRights.exe to grant the required directory group and revoke any inappropriate grants using a pattern is possible.

This example illustrates an approach for managing the SeServiceLogonRight right and can be applied to any of the user rights.

Copy the UserRights.exe utility to a network share that is accessible by all computer accounts.

Create an Active Directory security group for the server that should have the SeServiceLogonRight right managed. The group name must contain the sAMAccountName in addition to any conventions that are required. For example, to manage the SeServiceLogonRight privilege for a server named MyServer , create a security group named allow-log-on-service-MyServer and grant membership to all the required service accounts.

Create a group policy object, open it in the editor, and create a new scheduled immediate task:

Alt text

Select the general tab and configure the task:

Alt text

  • Set the task to run in the NT AUTHORITY\System context.
  • Set the task to run whether the user is logged in or not.
  • Set the task to run with the highest privileges.
  • Set the task to be hidden in the scheduled task console while it is executing.

Select the action tab and configure the task to execute the UserRights.exe utility.

Alt text

Set the program to the full path to the utility. For example: \\example.com\NETLOGON\UserRights.exe .

Set the arguments to execute the utility in privilege mode, grant the SeServiceLogonRight privilege to a security group corresponding to the servers sAMAccountName value, and remove any other regular user accounts or groups. For example:

privilege SeServiceLogonRight --grant EXAMPLE\allow-log-on-service-%ComputerName% --revoke-pattern "^S-1-5-21"

Select the common tab and enable item level targeting.

Alt text

Select the targeting button, and configure item level targeting to ensure the preference is only executed when the corresponding Active Directory security exists in the directory.

Alt text

  • Select New Item , then choose LDAP Query .
  • Select Item Options , then choose IS .
  • Set the filter to (&(objectCategory=group)(name=allow-log-on-service-%ComputerName%))
  • Set the binding to LDAP:
  • Set the attribute to the same type used in the filter name

The example above uses the groups name attribute type, which may be a better option than sAMAccountName in some environments.

Repeat all the above steps with the following changes to accommodate the case when the directory group does not exist:

Configure the action to execute the UserRights.exe utility with the following arguments:

privilege SeServiceLogonRight --revoke-pattern "^S-1-5-21"

Configure item level targeting to enable the preference when the LDAP query does not return a value.

Granting the privilege to a new user or service account only requires granting membership in the associated directory security group. Servers without a corresponding directory security will only have the user right privilege pruned according to the pattern.

If the privilege is later directly granted to a local or domain user account or group, group policy will revoke the grant. The pattern can be extended to prevent well-known security identifiers for built-in non-privileged contexts as well (use the dry-run flag to verify your regular expression).

Instrumentation

Diagnostic messages are emitted to the console and the Windows application event log.

Events originate from the UserRights source and have the following possible ids:

Manage a Principal

  • Grant a privilege and revoke a different privilege from a principal:
  • Grant multiple privileges, and revoke any other privileges assigned to a principal:
  • Revoke a privilege from a principal:
  • Revoke all privileges from a principal:

Manage a Privilege

  • Assign a principal, and revoke all other principals matching a pattern (everything except builtin and virtual accounts) from a privilege in dryrun mode to only instrument the changes:
  • Revoke all principals matching a pattern (everything except builtin and virtual accounts) from a privilege:
  • Assign a principal and revoke a different principal from a privilege:
  • Revoke a principal assigned to a privilege:
  • Revoke all principals assigned to a privilege:

Enumerate Privileges and Principals

  • List all principals and privileges in CSV format to STDOUT :
  • List all principals and privileges in JSON format to STDOUT :
  • List all principals and privileges in CSV format to a file:

Additional Info

Releases are provided in two formats that both target .Net 8.0:

  • An archive containing a runtime-dependent executable and all the required libraries.
  • An archive containing a single, self-contained executable to make deployment simple.

Useful Links

  • User Rights Assignment
  • Well-Known SID Structures
  • Regular Expression Language - Quick Reference

Releases 12

How to manage user account settings on Windows 11

Here are the steps to add, change, and remove accounts on Windows 11.

Manage user accounts

View account details

  • Add more email accounts
  • Change sign-in options
  • Control account sync settings
  • Connect to organization
  • Add multiple accounts
  • Delete accounts

On Windows 11 , the "Accounts" page in the Settings app allows you to review and customize many aspects of your account. You can determine the account type, switch from a Microsoft to a local account, change how you sign in, and enable many features to make the experience more secure and easier to use.

In addition, when you need to share a device with other people, you can create an account for each person so that each has a personal space they can customize, apps with their own profile, and a different area to store files.

Furthermore, if you must let a young person use a computer, you can also create a special child account type that provides parental control to monitor and protect them from content that may not be appropriate for their age.

This guide will teach you the steps to manage user accounts on your computer running the latest version of Windows 11.

How to view account details on Windows 11

On Windows 11, the "Your info" settings page includes details about your account, such as the type of account and the Microsoft account associated with the current profile. It also houses the settings to switch from a Microsoft to a local account or vice versa and the option to change the picture profile.

To view the account information on Windows 11, use these steps:

  • Open  Settings .
  • Click on  Accounts .
  • Click the  Your info  page on the right side.
  • Confirm your account details, including account type (Administrator or Standard) and whether you have a local or Microsoft account. 
  • Quick note:  If the page reads "Local account" under your name, there's a link to a Microsoft account. You have a Microsoft account configuration if your email address appears on this page.
  • (Optional) Under the "Related settings" section, click the  "Accounts"  option to access the account online to change billing details, family and security settings, and other settings.

Once you complete the steps, the "Your info" page will give various pieces of information about the account.

In the "Accounts" section, you're also going to find the "Your Microsoft account" page, but it only includes details about your Microsoft 365 subscription.

Change to local account

If you have a Microsoft account and you prefer a local account, you can use these steps to switch:

  • Under the "Account settings" section, click the  "Sign in with a local account instead"  option.
  • Continue with the on-screen directions. 
  • If you have a Microsoft account, click the  "Sign in with a local account instead"  option to switch to a local account.
  • Continue with the on-screen directions.

After you complete the steps, the account will no longer be associated with a Microsoft account. 

You can also use the instructions outlined above to switch to a Microsoft account if you have a local account.

Change account picture

To change the account picture on Windows 11, use these steps:

  • Click the  Browse files  button in the "Choose a file" setting. 
  • Quick tip:  You can also use the  Camera  option to take a picture and set it as the new profile photo.
  • Select a new image for the account.
  • Click the  Choose Picture  button.

Once you complete the steps, the picture will apply to the account.

How to link additional emails to an account on Windows 11

You can also add other email accounts in advance, so you don't have to enter the information on other apps (such as Mail & Calendar) and services.

Add accounts for apps

To add additional email accounts on Windows 11, use these steps:

  • Click the  Email & accounts  page on the right side.
  • Under the "Accounts used by email, calendar, and contacts" section, click the  Add an account  button.
  • Quick note:  If you want to add another Microsoft account, the system will list it under the "Accounts used by other apps" section.
  • Select the service provider (such as Outlook, Google, or iCloud).

After you complete the steps, the accounts will be available to set up other apps and services.

Add accounts for work

To add work accounts for apps on Windows 11, use these steps:

  • Under the "Accounts used by other apps" section, click the  "Add a Microsoft account"  or  "Add a work or school"  account.
  • Select the correct service.

Once you complete the steps, the account will be added, giving you quick access to work applications, such as OneDrive for Business.

How to change sign-in options on Windows 11

Windows 11 also includes the "Sign-in options" page that includes the different ways you can customize the preferences to sign into your account. For example, on this page, you can configure Windows Hello, change your local account password, and enable other features like Dynamic lock.

Change account password

If you use Windows 11 with a Microsoft account, you can only change the password  online  by changing your Hotmail, Live, or Outlook password. You can change the password through the Sign-in options page if you have a local account.

To change the account password on Windows 11, use these steps:

  • Click the  Sign-in options  page on the right side.
  • Under the "Ways to sign in" section, click the  Password  setting.
  • Click the  Change  button.
  • Confirm the current password.
  • Confirm the new password.
  • Quick note:  You can't re-use a previous password. You must enter a new password.
  • Click the  Next  button.
  • Continue with the on-screen directions (if applicable).

After you complete the steps, you can sign out and sign back in to start using the new password.

Configure or change Windows Hello authentication

On Windows 11, you have multiple ways to configure Windows Hello. You can set up facial or fingerprint recognition if you have the hardware that supports the feature. You can use a physical security key (usually used in organizations). And the most common form of authentication is the PIN option since it doesn't require special hardware and is more secure than a traditional password.

Usually, Windows 11 will prompt you to create a PIN during the initial setup, but if you are still using a password, you can use these steps to set up a Windows Hello PIN:

  • Under the "Ways to sign in" section, click the  PIN (Windows Hello)  setting.
  • Click the  Set up button.
  • Confirm your current password (if applicable).
  • Click the  OK  button.
  • Create a new numeric PIN that you will remember. 
  • (Optional) Under the "Additional settings" section, turn on the  "For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device"  toggle switch.
  • Quick note:  This feature will turn on Windows Hello for all authentications across Windows 11, so you are never asked for your account password.

Once you complete the steps, you can start using the PIN to sign in instead of a password.

Change current PIN

If you already have a PIN, you will only find the option to change or remove it.

To change the current account PIN, use these steps:

  • Under the "Ways to sign in" section, click the  PIN (Windows Hello)  setting.
  • Click the  Change PIN  button.
  • Confirm the current PIN.
  • Create a new PIN.
  • Confirm the new PIN.
  • (Optional) Under the "Additional settings" section, turn on the  "For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device"  toggle switch.
  •   Quick note:  This feature will turn on Windows Hello for all authentications across Windows 11, so you are never asked for your account password. However, if enabled, you won't be able to remove the PIN.

After you complete the steps, the Windows Hello information will change to the new PIN.

Enable sign-in upon waking up

As part of the account settings, you can decide whether the system should prompt you for a password upon waking the device or after some time you have been away from your desk.

To require a sign-in after waking up or specific time period, use these steps:

  • Under the "Additional settings" section, use the  "If you've been away, when should Windows require you to sign in again?"  setting to automatically select how long the system should wait before locking the account.

This setting replaces the "Require sign-in" option that lets you decide whether Windows 11 should ask you to sign in when the device wakes up from sleep mode. If you want to disable the option, select the  Never  option.

Enable Dynamic lock

"Dynamic lock" is a feature that locks your device when you step away from the room automatically. The feature uses proximity technology, meaning you'll need to connect a Bluetooth device like a phone or wearable before you can configure it. Once enabled, if you step away from the computer after 30 seconds, Windows 11 will lock the profile automatically.

To enable Dynamic lock, use these steps:

  • Click on  Bluetooth & devices .
  • Click on  Add device  button.
  • Click on  Bluetooth .
  • Turn on Bluetooth on the device you want to pair.
  • Select the device from the list.
  • Continue with the on-screen directions to complete the pairing.
  • Click the  Sign-in options  page on the right side.
  • Under the "Additional settings" section, click the  Dynamic lock  setting.
  • Check the "Allow Windows to automatically lock the device when you're away"  option.

Once you complete the steps, you can step away from the desk with the Bluetooth device, and then after 30 seconds, when you return, the computer should be locked.

Stop restarting apps on startup

Some apps are able to restart automatically at startup if you don't close them before turning off the computer. If you don't like this behavior, you can disable the feature. 

To prevent apps from restarting at startup, use these steps:

  • Under the "Additional settings" section, turn off the  "Automatically save my restartable apps and restart when I sign back in"  toggle switch. 

After you complete the steps, apps will no longer restart automatically on startup.

How to control account sync settings on Windows 11

On Windows 11, Microsoft is referring to the sync settings as the new "Windows Backup" feature. On this page, you can choose what folders are backed up in the cloud using OneDrive . You can decide whether the system should remember your apps so you can restore them on another installation. And you can control the settings you want to sync across devices associated with the same Microsoft account.

To control the sync settings on Windows 11, use the steps:

  • Click the  Windows backup  page on the right side.
  • Click the  Set up syncing  button for the "OneDrive folder syncing" setting.
  • Select the folders (Desktop, Documents, or Pictures) to upload and back up on the cloud. (You must have enough space to enable this feature.)
  • Click the  Start backup  button.
  • (Optional) Turn on the  "Remember my apps"  toggle switch if you want the system to remember the Microsoft Store app on your computer so that you can restore them later on another computer. 
  • Turn on the  "Remember my preferences"  toggle switch to allow your settings to sync across devices.
  • Click the "Remember my preferences" setting.
  • Check the settings you want to sync across devices, including passwords, language preferences, and other Windows settings.

Once you complete the steps, the settings and files will sync to the cloud and across devices, depending on your configuration.

How to connect account to an organization on Windows 11

The "Access work or school" page has the settings to connect to an organization to access shared resources, such as network resources, apps, and emails. If you are part of an organization, your network administrator will provide the information.

To connect a device to the network, use these steps:

  • Click the  Access work or school  page on the right side.
  • Click the Connect button.
  • Confirm your work or school account. 
  • Quick note:  You can also select the option to join an Azure Active Direction or local Active Directory domain from this page.

After you complete the steps, you will have access to the organization's resources as configured by the network administrator.

How to add multiple accounts on Windows 11

Although most computers are set up for single users, Windows 11 allows you to share the device with multiple people through the "Family & other people" page, which includes the settings to add, remove, and manage multiple user accounts.

Add family members 

On the page, under the "Your family" section, you can manage family members to allow each person to have their desktop, settings, apps, and a place to store files separately from everyone else.

You can have two family account types, including "Child" and "Adult," and each account type provides different features.

Create a child account

A  Child  account offers a controlled environment with features to keep young members safe while using apps, playing games, and browsing the internet. If you choose to create a child account, the person can use the device, personalize the desktop, work with apps, create files, and safely browse the web with Microsoft Edge. 

Also, when using this account type, the organizer can control their activities, enforce limits on apps and games, control screen time, and more using the Microsoft family dashboard online.

To create a child account on Windows 11, use these steps:

  • Click the  Family & other users  page on the right side.
  • Click the  Add account  in the "Add a family member" setting. 
  • Confirm the email address of the young person you want to add.
  • Quick note:  If the young person doesn't have an account, choose the "Create one for a child" option and continue with the on-screen directions.
  • Click the Next button.
  • Select the Member option.
  • Click the Invite button.
  • Open the invitation email in the child's account online.
  • Click the Accept Invitation button.
  • Click the Join now button.
  • Sign out of the main account.
  • Select the child account from the Lock screen.
  • Sign in with the child's Microsoft account credentials.
  • Click the Skip for now option (if applicable).
  • Create a PIN for the account.
  • Click the OK button.
  • Continue with the on-screen directions to finish the setup.

Once you complete the steps, Windows 11 will create the account, and the user will be able to sign in immediately.

Create an adult account

When using the family settings, an adult account is the same as a traditional local account, but members can also control child accounts.

To add a new member to the family group on Windows 11, use these steps:

  • Click the  Add account  in the "Add a family member" setting. 
  • Confirm the family member's email address.
  • Click the  Next  button.
  • Select the  Organizer  option.
  • Click the  Invite  button.

After you complete the steps, the account will be created, but the new member will need to accept the email invitation before they can use the device and manage parental control settings for child accounts.

Add non-family member 

On Windows 11, you can also create accounts for other people not necessarily part of your family. Using these settings, you can create a Microsoft or traditional local account. 

Create a Microsoft account

Using a Microsoft account is recommended because it's easier to configure, the user can choose to sync their settings across devices, and password recovery is straightforward.

To create a profile with a Microsoft account, use these steps:

  • Under the "Other users" section, click the  Add account  button for the "Add other user" setting.
  • Confirm the email address or phone number of the new user.
  • Quick note: If the user doesn't have a Microsoft account, choose the "I don't have this person's sign-in information" option to create an account and continue with the on-screen directions.
  • Click the  Finish  button.

Once you complete the steps, the person should be able to sign in and start using the device.

Create a local account

On Windows 11, you can still create a local account without needing a Microsoft account, also called an offline account.

To create a local account on Windows 11, use these steps:

  • Click the  "I don't have this person's sign-in information"  option.
  • Click the  "Add a user without a Microsoft account"  option.
  • Confirm the username.
  • Create a password for the account.
  • Complete the security questions to enable the reset option if you forget the password.

After you complete the steps, the user can log in and start using the standard local account on your Windows 11 computer.

Furthermore, the "Family & other users" page also includes an option to  set up a kiosk account . This feature is usually reserved for network administrators to turn a computer into a digital sign or interactive display or turn it into a device that only runs a specific application.

Change account type

As standard user account is the recommended type for most users, but if you want to change the type to administrator .

To change a user account type on Windows 11, use these steps:

  • Click the  Family & other users  page on the right side.
  • Under the "Other users" section, select the account to update.
  • Click the  Change account type  button.
  • Select the  Administrator  account type.

Once you complete the steps, the new account type will dictate the user's access privileges.

How to delete account on Windows 11

On Windows 11, when you no longer need an account, you can delete the profile and data, but the steps can differ depending on the account type.

Remove family account

To delete a family member account on Windows 11, use these steps:

  • Under the "Your family" section, click the "Manage family settings online" option.
  • Sign in with your credentials (if applicable).
  • Under the "Your family" section, click the (three-dotted) menu button in the right corner of the user account and select the  "Remove from family group"  option.
  • Click the  Remove  button.
  • Quick note: If you are trying to remove a child account, you may first need to choose the "Manage consent" option and remove the consent before you can remove the account from the family group.

Once you complete the steps, the account and files will be deleted from the computer.

Remove non-family account

To delete a local account on Windows 11, use these steps:

  • Under the "Other users" section, select the user account and click the  Remove  button.
  • Click the  "Delete account and data"  button.

After you complete the steps, the profile and files will be deleted from the device.

More resources

For more helpful articles, coverage, and answers to common questions about Windows 10 and Windows 11, visit the following resources:

  • Windows 11 on Windows Central — All you need to know
  • Windows 10 on Windows Central — All you need to know

Get the Windows Central Newsletter

All the latest news, reviews, and guides for Windows and Xbox diehards.

Mauro Huculak

Mauro Huculak is technical writer for WindowsCentral.com. His primary focus is to write comprehensive how-tos to help users get the most out of Windows 10 and its many related technologies. He has an IT background with professional certifications from Microsoft, Cisco, and CompTIA, and he's a recognized member of the Microsoft MVP community.

  • 2 Sony is working to bring PlayStation VR2 to Windows PC
  • 3 For less than 50 cents per game, you can grab an Xbox Series S and 3 months of Game Pass Ultimate
  • 4 Microsoft is forcefully auto-upgrading 'eligible' users running older versions of Windows 11 to 23H2 ahead of 'Moment 5'
  • 5 The best Wi-Fi 6 mesh router I've ever tested is discounted to an all-time low, and it STILL powers my home network two years later

user rights assignment names

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to add a user group in the "Shut down the system" group policy in Windows Server by CMD or PowerShell

I've read some documentation on Microsoft and other sites. Some of them suggest GPRegistryValue for registry-based policies and other recommended third-party software.

The full path of the key is: "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment"

But in my case I cannot use other packages except CMD or PowerShell (UI not available).

  • group-policy
  • windows-server

Daniel Teodoro's user avatar

  • superuser.com/questions/1254253/… and blakedrumm.com/blog/set-and-check-user-rights-assignment might help you for a starting point to play with. –  Vomit IT - Chunky Mess Style Nov 25, 2022 at 21:25
  • This is just local security policy settings. What did you search for as this is a common task? powershell 'Local User Rights Management' –  postanote Nov 25, 2022 at 21:37

Windows provides the secedit.exe tool for this and or custom code, as per the link provided in my comment to you.

Also, did you check the mspowershellgallery.com site for modules that assist with local user security policy?

Update as per '@Vomit IT - Chunky Mess Style', suggestion.

The more succinct/elegant option.

FYI --- Update for '@Vomit IT - Chunky Mess Style'. Using the PS_LSA.Wrapper

postanote's user avatar

  • 1 @VomitIT-ChunkyMessStyle... update provided. –  postanote Nov 25, 2022 at 21:43
  • Oh yeah, now you're talking!!! I saw github examples of that Indented.SecurityPolicy you suggested listed there. I like it! –  Vomit IT - Chunky Mess Style Nov 25, 2022 at 21:55
  • 1 Yeppers, I've got a bunch of these I've collected, refactored, and written over the years in different engagements. Even one using the underlying OS PS_LSA Windows library. –  postanote Nov 25, 2022 at 22:06
  • Thanks for helping me.The module of 'SecurityPolicy' is available, but when I try to find its modules "Get-Command -Module 'SecurityPolicy'" nothing is listed. Thus, I can't execute 'Add-UserRightsAssignment'. –  Daniel Teodoro Nov 29, 2022 at 13:38
  • If you did this Get-Command -Module 'SecurityPolicy' , and you see nothing? If so, that means it's not installed/in your PSModulePath. Did you install the module as I show in my suggested answer? If not, then you need to. Then you use Get-Module -ListAvailable to validate it's on your system. –  postanote Nov 30, 2022 at 6:37

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged powershell group-policy windows-server ..

  • The Overflow Blog
  • Who owns this tool? You need a software component catalog
  • Down the rabbit hole in the Stack Exchange network
  • Featured on Meta
  • Upcoming privacy updates: removal of the Activity data section and Google...
  • Changing how community leadership works on Stack Exchange: a proposal and...

Hot Network Questions

  • A canal between two rivers
  • What's the source of John Adams's quote against the two-party system?
  • Snowflake won't allow an analytic function to be renamed
  • Is it true that no philosopher disagrees that everything exists?
  • add driver to material property using python
  • Sherlock's AZED crossword
  • Are flights in fast jet streams more dangerous?
  • Sample Size impact on Effect size
  • Would a giant ball on earth roll towards the poles?
  • Are Feroli (italy) and Olimp (Greece) legitimate brands of extra virgin olive oil?
  • What's the phrase "10 years" used for in the sentence "I'm 10 years your senior"
  • Why did it take so long for the U.S. government to give Medicare the power to negotiate prescription drug prices directly with drug companies?
  • Can "innate" magic exist without fostering elitism?
  • When ordering off Amazon, are you allowed to keep a product that's significantly more valuable than what you originally ordered?
  • Understanding the joke, "Make an 'ell, I say" (from The Crux)
  • Do you say "give a sociable compliment" when you mean you give a compliment as a way to socialize with people but it's not a true praise?
  • How do I read the last lines of a huge log file?
  • Help me identify set so we can get instructions
  • Is there any performance penalty to unsigned integer underflow?
  • Beginner making an ENCRYPTER and DECRYPTER project
  • As a private tutor, is it ethical to recommend the student take more classes?
  • If the Good Samaritan represents Jesus as many Church Fathers claimed, what does Luke 10:35 mean?
  • Is Freyd's thesis available online anywhere?
  • Which statistic to use for measurement between two samples

user rights assignment names

IMAGES

  1. Change User Rights Assignment Security Policy Settings in Windows 10

    user rights assignment names

  2. Change User Rights Assignment Security Policy Settings in Windows 10

    user rights assignment names

  3. group policy

    user rights assignment names

  4. User Rights Assignment

    user rights assignment names

  5. Change User Rights Assignment Security Policy Settings in Windows 10

    user rights assignment names

  6. Change User Rights Assignment Security Policy Settings in Windows 10

    user rights assignment names

VIDEO

  1. How to manage Supplier access and Advance User rights

  2. CIS27 Lab 11: Computer Forensic and User Rights Assignment

  3. Windows 10 Training

  4. RightSignature

  5. User Rights for Visix DSC at UNC Pembroke

  6. BPMN 3123 MANAGEMENT ETHICS P GROUP ASSIGNMENT- GROUP 6 (HUMAN RIGHTS IN MALAYSIA)

COMMENTS

  1. User Rights Assignment

    You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment, or on the local device by using the Local Group Policy Editor (gpedit.msc).

  2. Change User Rights Assignment Security Policy Settings in Windows 10

    Contents Option One: To Add Users and Groups for User Rights Assignment in Local Security Policy Option Two: To Remove Users and Groups for User Rights Assignment in Local Security Policy Option Three: To Add and Remove Users and Groups for User Rights Assignment in Command Prompt OPTION ONE

  3. Configure security policy settings

    Open the Local Group Policy Editor (gpedit.msc). In the console tree, click Computer Configuration, select Windows Settings, and then select Security Settings. Do one of the following: Select Account Policies to edit the Password Policy or Account Lockout Policy.

  4. Set and Check User Rights Assignment via Powershell

    How to get it Note Local Computer Remote Computer Output Types This post was last updated on August 29th, 2022 I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

  5. User Rights Assignment

    You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under\nComputer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment, or on the local device by using the Local Group Policy Editor (gpedit.msc).</p>\n<p dir=\"au...

  6. User Rights Assignments

    User Rights Assignments. Although in this section they are called user rights, these authority assignments are more commonly called privileges. Privileges are computer level actions that you can assign to users or groups. For the sake of maintainability you should only assign privileges to groups not to individual users.

  7. User Rights Assignment

    To Remove a User or Group from a User Rights Assignment Policy. A) Select (highlight) a listed user (s) and/or group (s) that you wanted to remove from the policy, then click on the Remove button. (see screenshot below) NOTE: You can press and hold the CTRL key to select more than one listed user (user account name) and/or group.

  8. User rights assignment in Windows Server 2016

    The most common are: Group policy objects (GPO) - Used in Active Directory domains to configure and regularly reapply security settings to multiple computers. Local security policy (secpol.msc) - Used to configure a single (local) computer. Note that this is a one-time action.

  9. Deny and allow workstation logons with Group Policy

    Deny log on locally. The "Deny log on locally" specifies the users or groups that are not allowed to log into the local computer. This policy can be found in Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment > Deny log on locally. Deny log on locally Properties. In my example, I've created a ...

  10. Restricting the local log on to specific users

    Click Add settings and perform the following in Settings picker. Select User Rights as category. Select Allow Local Log On as setting. Specify the required users and local groups - all on separate lines - and click Next. Figure 2: Overview of the configuration of the required setting. On the Scope tags page, configure the required scope ...

  11. How do I set a local user a user rights assignment on an active

    1 Perhaps, you can try the following: Create a separate group for the user locally. Create GPO and configure Restricted Groups in GPO to apply only to the local group created in step 1. Description of Group Policy Restricted Groups This is mentioned in the article if you follow the link:

  12. Local Accounts

    In the details pane, right-click <gpo_name>, and > Edit; Configure the user rights to deny network logons for administrative local accounts as follows: Navigate to the Computer Configuration\Windows Settings\Security Settings\, and > User Rights Assignment; Double-click Deny access to this computer from the network

  13. How to move Windows 10 User Rights Assignment to Endpoint Manager

    Select Add new. Select "Windows 10 and Later" and Custom in the profile. Let's enter in a Logical name. "Windows 10 User Rights Assignment" and select Save. Lets Start with "Load and unload device drivers.". Select Add on the next Page. Enter in the name for the setting. I am preceding the name with URA (for User Rights Assignment).

  14. The Allow log on locally user right must only be assigned to the

    Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Allow log on locally" user right, this is a finding: Administrators. Users.

  15. GitHub

    SecurityTemplate: Configures user rights assignments that are defined in an INF file. UserRightsAssignment: Configures user rights assignments in local security policies. ... The policy name of the user rights assignment to be configured. Create_a_token_object, Access_this_computer_from_the_network, Change_the_system_time, Deny_log_on_as_a ...

  16. Manage User Accounts and Settings in Windows 10

    In the Settings window, click Accounts, and then click Family & other users. In the Family & other users settings pane, click Add a family member to start the wizard. On the Add a child or an adult page, click Add a child or Add an adult, and then enter the person's Microsoft account address in the Enter the email address box.

  17. Powershell: Export User Rights Assignment

    2. I'm new to PowerShell (PS). Currently I'm using windows server 2012 and I'm interested to know whether there is any way to export User Rights Assignment into a txt file. I tried. secedit /export /areas USER_RIGHTS /cfg d:\policies.txt. The above should should export it.

  18. GitHub

    Windows User Rights Assignment Utility. The UserRights.exe utility is an application for managing the User Rights Assignment security policy settings.. UserRights.exe is similar to ntrights.exe from the Windows 2003 Resource Kit utility, with additional functionality making it more flexible for use in automation.. Use Case - Automating User Rights Assignment on Windows Servers

  19. How to manage user account settings on Windows 11

    To create a local account on Windows 11, use these steps: Open Settings. Click on Accounts. Click the Family & other users page on the right side. (Image credit: Future) Under the "Other users ...

  20. powershell group-policy windows-server

    Find-Module -Name '*sec*pol*' # Results <# Version Name Repository Description ----- ---- ----- ----- 2.10.0.0 SecurityPolicyDsc PSGallery This module is a wrapper around secedit.exe which provides the ability to configure user rights assignments 1.3.2 Indented.SecurityPolicy PSGallery Security management functions and resources 0.0.12 ...