Difference in the user right "Deny log on locally" between Windows 2000 and Windows 2003 (837954)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition

SYMPTOMS

In Windows 2003, users or members of a group that have been denied "log on locally" can still connect to the computer using Remote Desktop Connection.

CAUSE

In Windows 2000, connections from the console or through Terminal Services were handled the same way : through the "Log on locally" user right.

In Windows 2003, these two types of connections now depend on two user rights :
  • Log on locally : which handles the connection from the console.
  • Log on through Terminal Services : which handles the connections through the Remote Desktop Connection client.

MORE INFORMATION

This change has been made because the Remote Desktop is natively part of Windows 2003. Even without the Terminal Services service set up you can still access the computer remotely.
To enable/disable Remote Desktop, open the properties of "My computer", show the "Remote" tab and check/uncheck the "Allow users to connect remotely to this computer" checkbox.
Modification Type:MajorLast Reviewed:3/1/2004
Keywords:kbTermServ kbGPO kbinfo KB837954 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.