What permissions have to be granted for a non adminstrator user to log on to a domain controller?


  • I have a server which acts as the domain controller for the domain Now I have created a user called TestUser using AD users and computers. I logged off and tried to log in with the TestUser account i just created. But I get error message "you cannot logon because the logon method is not allowed on this computer". What permissions the TestUser account has to be set for it to be able to logon to the server? how do I set these permissions?

    Thanks and Regards, Radhakrishnan

    Tuesday, May 29, 2012 1:16 PM


All replies

  • To login to domain controlelr one need have a domain administrator rights.


    You can define a allow logon locally or allow logon through teminal services GPO defined in your environment.

    Allow Logon locally

    Allow logon through teminal services

    What are you tryuing to accomplish? Even if you allow then via above policies they can not administrator AD.

    Let us know your requirement so that we can answer your question



    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, May 29, 2012 1:31 PM
  • Have you seen this article? -

    By default, only members of the Account Operators, Administrators, Backup Operators, Print Operators, and Server Operators groups have the Allowed logon locally system right. If you want to grant a user account the ability to log on locally to a domain controller, you must either make that user a member of a group that already has the Allowed logon locally system right or grant the right to that user account.

    Santhosh Sivarajan | Houston, TX

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    Tuesday, May 29, 2012 1:48 PM
  • Non domain admin users are prohibited from logging on to domain controllers be design as a security measure and its recommended to keep it that way unless you plan to include new users to administer AD DCs. I think you're working in a LAB in that case it's ok to practice such option. You would need to add this test user to the Domain Admins security group then he will be able to login to the DC. Right click, go to user properties and add domain admins group from the member of tab.

    Sachin Gadhave

    Tuesday, May 29, 2012 1:48 PM
  • As a best practice only AD expert should login to the DC and any user who want to login to the DC they should be delegated. As others have already provided information how to login to the DC and membership required, but you should restrict login to the DC for few. All the AD related stuff can be performed installing adminpak.msi or RSAT tool on XP or windows vista\7 machine.

    Awinish Vishwakarma - MVP - Directory Services

    My Blog:

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, May 29, 2012 2:08 PM