How to Allow or Prevent Users and Groups to Sign in Locally to Windows 10
By default, you need to dismiss the lock screen and enter your credentials to sign in to Windows 10 with your account.
By default, Users, Guests, Backup Operators, and Administrators are able to sign in locally to Windows 10.
See also: Allow log on locally - security policy setting (Windows 10) | Microsoft Docs
This tutorial will show you how to allow or prevent specific users and groups from being able to sign in (log on) locally to a Windows 10 PC.
You must be signed in as an administrator to allow or prevent users and groups to sign in locally.
Only allowed users and groups will be able to sign in locally to Windows 10. The Deny log on locally policy will override this Allow log on locally policy.
CONTENTS:
- Option One: Allow Users and Groups to Sign in Locally in Local Security Policy
- Option Two: Prevent Users and Groups to Sign in Locally in Local Security Policy
- Option Three: Allow or Prevent Users and Groups to Sign in Locally in Command Prompt
EXAMPLE: "The sign in method you're trying to use isn't allowed. For more info, contact your network administrator." message when a user or group is not allowed to sign in locally
OPTION ONE
Allow Users and Groups to Sign in Locally in Local Security Policy
Local Security Policy is only available in the Windows 10 Pro, Enterprise, and Education editions.
All editions can use Option Three below.
1. Press the
Win+R keys to open Run, type
secpol.msc into Run, and click/tap on
OK to open Local Security Policy.
2. Expand open
Local Policies in the left pane of Local Security Policy, click/tap on
User Rights Assignment, and double click/tap on the
Allow log on locally policy in the right pane. (see screenshot below)
3. Click/tap on the
Add User or Group button. (see screenshot below)
4. Click/tap on the
Advanced button. (see screenshot below)
5. Click/tap on the
Object Types button. (see screenshot below)
6. Check all the boxes for Object types, and click/tap on the
OK. (see screenshot below)
7. Click/tap on the
Find Now button, select the name of the
user or group (ex: "Guests") you want to add, and click/tap on
OK. (see screenshots below)
If you like, you can press and hold the Ctrl key to select more than one user and/or group.
8. Click/tap on
OK. (see screenshot below)
9. Click/tap on
OK. (see screenshot below)
10. When finished, you can close Local Users and Groups if you like.
OPTION TWO
Prevent Users and Groups to Sign in Locally in Local Security Policy
Local Security Policy is only available in the Windows 10 Pro, Enterprise, and Education editions.
All editions can use Option Three below.
1. Press the
Win+R keys to open Run, type
secpol.msc into Run, and click/tap on
OK to open Local Security Policy.
2. Expand open
Local Policies in the left pane of Local Security Policy, click/tap on
User Rights Assignment, and double click/tap on the
Allow log on locally policy in the right pane. (see screenshot below)
3. Select the
user or group (ex: "Guest") you want to remove, and click/tap on the
Remove button. (see screenshot below)
If you like, you can press and hold the Ctrl key to select more than one user and/or group.
4. Click/tap on
OK. (see screenshot below)
5. When finished, you can close Local Users and Groups if you like.
OPTION THREE
Allow or Prevent Users and Groups to Sign in Locally in Command Prompt
1. If you haven't already, you will need to do the following below before continuing on to
step 2 below.
A) Download the
ntrights.exe file below from the
Windows Server 2003 Resource Kit Tools.
B) Save the
ntrights.zip file to your desktop, and
unblock it.
C) Open the
ntrights.zip file, copy or move the
ntrights.exe file into your
C:\Windows\System32 folder, and click/tap on
Continue to approve.
2. Open an
elevated command prompt.
3. Type the command you want below into the elevated command prompt, and press
Enter.
(Add user or group to allow)
ntrights +r SeInteractiveLogonRight -u "User or Group"
OR
(Remove user or group to prevent)
ntrights -r SeInteractiveLogonRight -u "User or Group"
Substitute User or Group in the command above with the actual name of the user or group (ex: "Guests) you want to add or remove for this policy.
For example: ntrights +r SeInteractiveLogonRight -u "Guests"
4. When finished, you can close the elevated command prompt if you like.
That's it,
Shawn