JSI Tip 1683. How do I restrict interactive logon at a workstation to members of the local Administrators group?.

Jerold Schulman

October 6, 1999

1 Min Read
ITPro Today logo in a gray background | ITPro Today


Using NTRights, you can create a batch file that contains the following commands for each workstation you wish to restrict:

  ntrights -r SeInteractiveLogonRight -u "Backup Operators" - m \  ntrights -r SeInteractiveLogonRight -u Everyone - m \  ntrights -r SeInteractiveLogonRight -u Guests - m \  ntrights -r SeInteractiveLogonRight -u "Power Users" - m \  ntrights -r SeInteractiveLogonRight -u Users - m \

where is the name of the workstation you want to restrict.

For the you are working on, you don't need the -m \ as the changes are made locally by default.

The above changes remove the right to logon locally from the listed local groups. If you have ordinary users in other local groups, add these local groups to the list. You can view the list of local groups by typing NET LOCALGROUP at a CMD prompt.

NOTE: You must be a member of the local Administrators group to run NTRights.

NOTE: NTRights is also availble in Supplement 4 of the Windows NT 4.0 Resource Kit.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like