Windows OS Hub
  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux

 Windows OS Hub / Group Policies / The Sign-in Method Isn’t Allowed to Logon Windows

March 15, 2024

The Sign-in Method Isn’t Allowed to Logon Windows

If you see The sign-in method is not allowed error when trying to logon Windows, it means that the resulting Group Policy settings prevent local sign-in for a current user account. Most often the error appears if you try to sign in to a computer using a guest account or to a domain controller using a user account without domain administrator privileges. However, there may be some other reasons.

The sign-in method you're trying to use isn't allowed. For more info, contact your network administrator.

cant logon windows - The sign-in method you're trying to use isn't allowed

The list of users and groups that are allowed to interactively sign in to a computer is configured using GPO.

  1. Open the Local Group Policy Editor (gpedit.msc);
  2. Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment;
  3. Find Allow log on locally in the list of policies;
  4. The policy contains the list of groups and users allowed to sign in to the computer locally. Allow log on locally GPO option
    Depending on the operating system and computer role, the list of groups allowed to sign in locally may vary. For example, local sign-in is allowed for the following user groups on workstations running Windows 10 and servers running Windows Server 2022,2019,2016:

    • Administrators
    • Backup Operators
    • Users

    On servers running Windows Server with the Active Directory domain controller role (ADDS), interactive sign-in is allowed for the following groups:

    • Account Operators
    • Administrators
    • Backup Operators
    • Print Operators
    • Server Operators

  5. You can allow local sign-in for other users or groups. To do it, click Add User or Group and select the users you want to add. For example, you prevent non-admin users from logging on to the device. To do it, just remove the Users group from the policy settings;
  6. After making the changes, update the Group Policy settings using the gpupdate /force command (no reboot required).

Also, note that there is another policy to prevent local interactive sign-in to Windows in the same GPO section. The policy is called Deny log on locally. In my case, anonymous local logon under the Guest account is denied on the computer.

Deny log on locally using GPO

You can prevent a specific group (or a user) from logging on to the computer locally by adding them to this policy. Since Deny log on locally policy has a higher priority than Allow log on locally, users won’t be able to log on to a computer with the following error:

The sign-in method isn’t allowed.
One of the best practices to secure privileged administrator accounts in a Windows domain is to deny local logon to workstations and servers under domain administrator accounts. To do it, assign Deny log on locally policy for the Domain Admins group to all OUs except Domain Controllers. In the same way, you need to deny sign-in under local accounts.

In a domain environment, multiple GPOs may be assigned to a computer. So to get the policies allowing local sign-in, you need to check the resulting policy settings. You can use the rsop.msc console or the gpresult tool to get the resulting GPO settings on your computer.

Note that users can use interactive RDP sessions to connect to a Windows device (if RDP is enabled on that device) despite being denied local logon. The list of users who are allowed to log in via Remote Desktop is set in the same GPO section using the Allow logon through Remote Desktop Services option.

Another reason why you can see “The sign-in method you are trying to use isn’t allowed” error is when a list of computers a user is allowed to log on to is restricted in the LogonWorkstations user attribute in AD (read more here). Using the Get-ADUser PowerShell cmdlet, you can display a list of computers a user is allowed to log on to (by default, the list is empty):

(Get-ADUser maxbak -Properties LogonWorkstations).LogonWorkstations

In some cases, you may allow a user to log on to the domain controller/ Windows Server hosts over RDP or locally. It is enough to add a user account to the local policy Allow log on locally on your server. Anyway, it will be better than adding a user to the Local Administrators group. However, it is even better to use an RODC domain controller for security reasons.

You can also allow local logon using ntrights (the tool was included in some old Admin Pack versions). For example, to allow local logon for a domain group, run the command below:

ntrights +r SeInteractiveLogonRight -u "GroupName"

To deny local logon:

ntrights -r SeInteractiveLogonRight -u "UserName"

2 comments
0
Facebook Twitter Google + Pinterest
Group PoliciesWindows 10Windows Server 2019
previous post
VMWare ESXi: Errno 28 — No space left on device
next post
Configuring PowerShell Remoting (WinRM) over HTTPS

Related Reading

How to Find the Source of Account Lockouts...

March 12, 2024

How to Delete Old User Profiles in Windows

March 15, 2024

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Configuring Windows Firewall Rules Using Group Policy

March 15, 2024

Copy Files and Folders to User Computers via...

March 15, 2024

Updating List of Trusted Root Certificates in Windows

March 11, 2024

How to Hide or Show User Accounts from...

July 24, 2024

Updating Group Policy Administrative Templates (ADMX)

January 24, 2025

2 comments

Abel April 7, 2025 - 2:07 am

I am having this issue with a laptop I am unable to logon to. I am unable to open windows and as a result I am not able to do the steps you outlined above. I am not sure what happened, but I am not able to access the operating system, and this laptop has never been on any network, my account is a local account.

Reply
admin April 8, 2025 - 5:50 pm

Use the built-in Administrator account to log in locally and reconfigure local security policy settings.
This post explains how to enable the Administrator account and reset its password: https://woshub.com/enable-built-in-administrator-account-in-windows-10/#h2_3

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Encrypt Any Client-Server App Traffic on Windows with Stunnel

    June 12, 2025
  • Failed to Open the Group Policy Object on a Computer

    June 2, 2025
  • Remote Desktop Printing with RD Easy Print Redirection

    June 2, 2025
  • Disable the Lock Screen Widgets in Windows 11

    May 26, 2025
  • Configuring Windows Protected Print Mode (WPP)

    May 19, 2025
  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Updating List of Trusted Root Certificates in Windows
  • How to Delete Old User Profiles in Windows
  • Fix: Remote Desktop Licensing Mode is not Configured
  • Configure Google Chrome Settings with Group Policy
  • Allow Non-admin Users RDP Access to Windows Server
  • Configuring FSLogix Profile Containers on Windows Server RDS
  • How to Backup and Copy Local Group Policy Settings to Another Computer
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top