In this blog post, I will show you how to allow users to log in to an Active Directory Domain Controller without having domain admins right.
I know that in many cases this, not the best practice option; however, you might come across a situation like this as part of a testing use case.
To allow users to log in locally to Domain Controllers, we need to edit the Domain Controller Group policy which is located under the Domain Controllers OU.
Edit Default Domain Controller Group Policy
To get started, Open GPMC and edit the following settings.
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Right Assignment.
From the User Rights Assignment page, locate the Allow log on locally option and double click on it.
By default, there are a few groups that are allowed to log in locally as shown below.
To add a user or a group, click on the Add User or Group and select them.
