/
  • Last updated
/
  • 4 min read

How to Deny Local Sign-In for Users and Groups in Windows 10

How to Deny Local Sign-In for Users and Groups in Windows 10 blog banner image

Controlling user access on specific devices is a common practice in networked or managed environments. It’s a solid protocol for blocking unauthorized access and maintaining system integrity. If you wish to implement this policy in your domain, this guide on how to deny local sign-in for users and groups in Windows 10 will help you execute it with confidence.

How to deny users or groups from signing in locally

Before we begin, consider making an image or file backup so that you have a restore point with all your essential data intact.

With that said, there are a couple of options for limiting local user login in Windows 10:

✔️ Group Policy

✔️ Local Security Policy

If you want to continue disabling local user logins, the recommended console for this task is the Local Security Policy for ease of use. Follow along for the step-by-step guide.

Option 1: Using Local Security Policy (recommended)

⚠️ Note: Local Security Policy is exclusive to Windows 10 ProEnterprise, and Education editions.

  1. Press Win + R to open Run, type secpol.msc, and tap OK.
  2. In Local Security Policy, navigate to Local Policies → User Rights Assignment. Under the Policy list, double-click Deny log on locally.
  3. Tap Add user or group on the next dialog box and press Advanced.
  4. Click on Object types, toggle ✅ all selections, and press OK to confirm.
  5. Press Find Now and select the user account or group you want to restrict from logging on locally.
  6. Confirm the changes by pressing Apply, then OK.

Option 2: Group Policy (For Windows Pro, Ennterprise, and Education)

  1. Press Win + R, type gpedit.msc, and press Enter to open Local Group Policy Editor.
  2. Navigate to Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment.
  3. Find and double-click Deny log on locally in the right pane.
  4. Click Add User or Group…, then enter the usernames (e.g., User1) or group names (e.g., DOMAIN\Group1) you want to restrict.

If the changes don’t take effect immediately, you may restart the system or run gpupdate /force in Command Prompt to apply the update. Here’s a guide on how to use GPUpdate.

Troubleshooting local user login in Windows 10 policy

Restricting Windows login as a local user is a good practice for preventing unauthorized access and protecting data integrity. But if you’re not yet used to the process, these common issues may hinder your progress:

Issue: User is still able to sign in after the restriction

Users who signed in before the restrictions were applied must be asked to log out and restart the device for the changes to take effect. If you are executing this change for the first time, we recommend doing it during downtime or sending notifications in advance.

Issue: Accidentally locked out all users

Rebooting in safe mode may bypass some restrictions. Otherwise, if another Administrator account remains active, you can try troubleshooting from that account.

If you are completely locked out of the system, you may need to reset the computer to restore control access.

Local Sign-in Policy FAQs

What happens if I accidentally restrict all users, including administrators?

If you accidentally locked out all accounts (including administrators), you’ll be locked out of the system and may need to reboot in safe mode. If the restrictions persist, you may need to reset your computer.

Can I deny local sign-in but still allow remote access?

Yes. The local sign-in restriction doesn’t include limitations for remote desktop access, which needs to be configured via the Allow log-on through Remote Desktop Services policy.

Polish your remote access policy using User Rights Assignment Security Policy Settings to manage RDS.
→ Check out our guide to learn more.

Does this restriction apply to all Windows editions?

Changes in the Local Security Policy will only affect Windows 10 Pro, Enterprise, and Education devices. These editions have exclusive access to the console.

How do I check which users have been denied local sign-in?

You can check the respective allow list in the Local Security Policy (via Properties ).

Will this setting prevent users from logging in via Remote Desktop?

No. You must set this up separately in the Allow log-on through Remote Desktop Services policy.

How do I prevent other users from logging on to my computer?

Apart from this guide on “How do I disable other user logins in Windows 10?”, you may consider other encryption methods, such as enabling picture passwords or enforcing full disk encryption (FDE).

Final thoughts on how to prevent other users from logging into Windows 10

User Rights Assignment policies are a great way to manage user control access in your device or networked environment. If you intend to change these settings, including local sign-ins, we recommend using Group Policy or the Local Security Policy console to limit the risk of making unwanted changes.

Start your Free Trial

You might also like

How to Configure Improve Inking and Typing Recognition in Windows 10 blog banner image

How to Improve Inking and Typing Recognition in Windows 10

How to Add or Remove the System Cooling Policy from Power Options in Windows blog banner image

How to Add or Remove the “System Cooling Policy” from Power Options in Windows

Hide or Show Firewall and Network Protection in Windows Security in Windows 10 blog banner image

How to Hide or Show Firewall and Network Protection in Windows Security

How to Turn On or Off Play HDR Content When on Battery in Windows 10 blog banner image

How to Turn On or Off Play HDR Content When on Battery in Windows 10

Quick Guide- How to View All Network Shares on a Windows PC blog banner image

Quick Guide: How to View All Network Shares on a Windows PC

How to Allow or Prevent Users and Groups to Log on with Remote Desktop in Windows blog banner image

How to Allow or Prevent Users and Groups to Log on with Remote Desktop in Windows 10

Back to Blog Home
Ready to simplify the hardest parts of IT?
Start a Free Trial
Get a demo
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
I Accept