Logon failure: The user has not been granted the requested logon type at this computer

The user has not been granted the requested logon type at this computer

In this post, we’re gonna solve “Logon failure: The user has not been granted the requested logon type at this computer” error.

the user has not been granted the requested logon type at this computer

We will also go through the following:

You might also like to read Evaluation Period expired for Windows Server 2012 R2, How to extend it?


The user has not been granted the requested logon type at this computer

I have created a new user in Active Directory on Windows Server 2012 R2, when I tried to log in with the newly created user to a site or windows, unfortunately, I couldn’t log in, I got the below error.

Logon failure: The user has not been granted the requested logon type at this computer.

the user has not been granted the requested logon type at this computer

How to solve “The user has not been granted the requested logon type at this computer”?

This error usually occurs in case the login user does not have permission to log on locally to this computer.

The login user does not have permission to log on locally to this computer

To solve “The user has not been granted the requested logon type at this computer” error, you should make sure that the login user and all groups that belong to are allowed to log on locally to this computer.

To get which groups the current user belongs to, Please check Get Groups in which a user is a member Using PowerShell.

Allow Logon Locally In Windows Server

Steps
  • Log in to the server with a Domain Administrator Account.
  • Run Group Policy Management as Administrator.
    • Open start menu > type “gpedit.msc“.
    • Right-click and select Run as administrator.
open Group Policy Management
  • Under Computer configuration >  go to Windows Settings > Security Settings > Local Policies > User Rights Assignemnts.
  • Right Click on Allow Logon Locally > Properties.
  • Click on Add User and Group then add the new user account.
Allow Logon Locally In Windows Server

Note: if “Add User button is disabled in User Rights Assignment“, that means the current user is not a domain admin account, to solve this issue please, check the Add User button is grayed out in User Rights Assignment.

Force Group Policy Update

To instantly reflect the above changes in Group Policy Management, you should do the following:

  • Open CMD as administrator.
Run Command Prompt As Administrator
  • Run the below command to apply Policy update.
gpupdate /force
Force Group Policy Update
  • Try to log in now.
  • Great, “The user has not been granted the requested logon type at this computer” is gone, you should be able to login to this computer without any issue now.

Allow Logon Locally to Windows (Alternative Method)

Alternatively, you can also allow the newly created user to logon locally to the windows by doing the following:

Steps
  • Login to the server as a domain administrator account.
  • Go to Control Panel > Administrative tools.
  • Right-click on Group Policy Management > Select Run as administrator.
Allow Logon Locally to Windows
  • From left side > Expand Forest node > Domains > Domain Name > Domain Controller.
  • Right-click on Default Domain Controller Policy > Click Edit.
Edit default domain policy

Note: Although you have run the Group Policy Management as an administrator, you may get the Edit option is disabled which means you didn’t log in to the server/PC as a domain administrator account. to solve this issue, please, check the Edit default domain policy grayed out.

  • In Group Policy Management Editor.
  • Expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
  • In the pane details >  Double click on  Allow Log on Locally.
Local Policies User Rights Assignments
  • In Allow log on locally Properties > Click on Add User or Group > Add the new user > Click OK.
add users and group to Allow logon locally

Note: if Add User button is disabled in User Rights Assignment, that means the current user is not a domain admin account. to solve this issue please, check the Add User button is grayed out in User Rights Assignment.

Force Group Policy Update

To instantly reflect the above changes in Group Policy Management, you should do the following:

  • Open CMD as administrator.
Run Command Prompt As Administrator
  • Run the below command to apply Policy update.
gpupdate /force
Force Group Policy Update
  • Try to log in now.
  • Great, “The user has not been granted the requested logon type at this computer” is gone, you should be able to login to this computer without any issue now.

Edit default domain policy grayed out

Even if you have run the “Group Policy Management” as administrator,

Run Group Policy Management as Administrator

You may not be able to edit default domain policy as shown below:

Edit default domain policy grayed out

Actually, you get “Edit default domain policy grayed out” If the current user is not a member of Domain Admins security group or Enterprise Admins security group.

Logon failure: The user has not been granted the requested logon type at this computer

To check if the current user is a member of Global Domain Admins group or not, Please check Get all Groups a user is a member of Using PowerShell

Enable “Edit default domain policy”

To enable “Edit default domain policy” option, you must

  • Login to the server with a domain admin account like Administrator account.
Use Domain Administrator Account to Edit default domain policy
  • Or using the current user,
    • Open “Administrative Tools”.
    • Press shift + right-click to run “Group Policy Management” as a different user.
    • Then provide the credential of a domain administrator account.
Run Group Policy Management as Domain Administrator Account

Whatever which method you will use, you would be able to “Edit default domain policy” now as shown below:

Edit default domain policy

Add User button is grayed out in User Rights Assignment

Again, you may get “Add User button is grayed out in User Rights Assignment” as shown below:

Add User button is grayed out in User Rights Assignment

This issue also occurs If the current user is not a member of Domain Admins security group or Enterprise Admins security group.

Logon failure: The user has not been granted the requested logon type at this computer

Enable “Add User button in User Rights Assignment”

To enable “Add User button in User Rights Assignment“, you should do the following:

  • Open “Administrative Tools” as administrator.
Run Administrative Tools as Administrator-min
  • Press shift + right-click to run “Group Policy Management” as a different user.
Run Group Policy Management as Domain Administrator Account
  • Then provide the credential of a domain administrator account.
Run Group Policy Management as different user
  • In Group Policy Management Editor.
  • Expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
  • In the pane details >  Double click on  Allow Log on Locally.
Local Policies User Rights Assignments
  • Great, the Add User or group button is enabled in User Rights Assignment now as shown below:
add users and group to Allow logon locally

Applies To
  • Windows Server 2012.
  • Windows Server 2016.
Conclusion

In conclusion, we have solved “Logon failure: The user has not been granted the requested logon type at this computer” error by configuring group policy management and allowing Logon Locally privileges to the new user to be able to login to the windows.

We have also solved the below issues that we may face during configuring “Group Policy Management” :

  • Edit default domain policy grayed out.
  • Add User button is grayed out in User Rights Assignment.
You may also like to read
Have a Question?

If you have any related questions, please don’t hesitate to ask it at deBUG.to Community.

4 thoughts on “Logon failure: The user has not been granted the requested logon type at this computer”

Leave a Reply