# What does "log on locally" mean?



## hardware01 (Dec 30, 2006)

I'm studying for a Microsoft exam and I am confused. When someone can “log on locally”, what exactly does that mean? Does this mean that the user would have to choose the computer name as opposed to the domain to log on locally, or does it mean that the user can log on using a cached authentication if the domain controller is not available? From my reading it states that someone in the “power users” group can log on locally. Wouldn't you have to physically create a local account in the Users and Computers area for a person to be able to log on locally? How does the “power users” group do that?


----------



## NA$ER (Sep 17, 2009)

its mean which users has the rights to login and use the machine, its the first step before what permission they have on the machine.

this policy you can find it by run gpedit.msc
navigate under computer configuration to:
windows settings
security settings
local policies
user right assignment
in the right pane you will find "log on locally" 
double click it and you will see which users and groups have the right to login to the computer.

in a Domain Controller (DC) the for example a domain user account cannot login to the (DC) but can be login to any other computer if there is no restriction.





more info:
Allow log on locally

This logon right determines which users can interactively log on to this computer. Logons initiated by pressing CTRL+ALT+DEL sequence on the attached keyboard requires the user to have this logon right. Additionally, this logon right may be required by some service or administrative applications that can log on users. If you define this policy for a user or group, you must also give the Administrators group this right.

Default:
On workstations and servers:
Administrators
Backup Operators
Power Users
Users
Guest.

On domain controllers:
Account Operators
Administrators
Backup Operators
Print Operators
Server Operators.


----------



## hardware01 (Dec 30, 2006)

Thanks for the response na$er. I think I might be starting to understand it. I was thinking that you could only log on locally if you had a local user account. Meaning that log on locally meant "not on the domain". At my work place we log on locally as admins by choosing the computer name as opposed to the domain that the PC is on.

So, if you have a 2003 server and you are a member of the "users" group only ( in active directory) you would not be allowed to log on to that PC since that group does not have the ability to log on locally. However, if you were part of the built in local users group you could log onto that PC.

Does that sound right?


----------

