You are likely to encounter this grayed out button issue due to the following:
Some group policy defined in domain that has this security setting for the server.The current user is not a member of Domain Admins security group or Enterprise Admins security group.
In some cases, after you have created a new user in Active Directory on the Windows Server, and try to log in with the newly created user to a site or Windows, you may get the error message below; Now, when you receive the error message, and you proceed to configure the server to allow logon locally for the new user, you’ll now notice the Add User or Group button is disabled in User Rights Assignment for the current user.
Add User or Group button is grayed out in User Rights Assignment
If you’re unable to add a user on a Domain Controller because the Add User or Group button is grayed out in User Rights Assignment, you can try either of our recommended solutions below to resolve the issue. Let’s take a look at the description of the process involved concerning each of the listed solutions.
1] Modify default Domain Controller Policy setting
If you need to add a user account in local group policy, then you have to remove the security setting that disables the Add User or Group button from the Default Domain Controller Policy, set it to not defined, and then run gpupdate /force on the computers which the policy applied to. You can run gpresult /h report.html on the machine and check this security setting in report.html – it will show you which GPOs have been applied to the server. To manually check the policies applied on the machine, do the following:
On a Domain Controller, click Start > Run.Type gpmc.msc and hit Enter to load the GPMC console.In the left pane of GPMC, click the domain name to expand it.Select the policy you want to check (eg Default Domain Policy).Now, right-click the entry and select Edit to load the Group Policy Management Editor console for this group policy object.Navigate to the following setting:
At the location, check if there are some settings that have been configured under this.Repeat the above steps to check other GPOs.
2] Enable Add User or Group button in User Rights Assignment
To enable Add User or Group button in User Rights Assignment, do the following:
Open Administrative Tools as administrator.Press Shift and right-click to run Group Policy Management as a different user.Enter the credential of a domain administrator account.In Group Policy Management Editor.Navigate to the path below:
In the details pane on the right, double-click the Allow Log on Locally policy to edit its settings.In Allow log on locally Properties sheet, click on Add User or Group button.Proceed to add the new user.Click OK when done.Exit GPMC console.
To instantly reflect the above changes in Group Policy Management, do the following:
Press Windows key + R to invoke the Run dialog.In the Run dialog box, type cmd and then press CTRL + SHIFT + ENTER to open Command Prompt in elevated mode.In the command prompt window, type the command below and hit Enter to force Group Policy update:
Exit CMD prompt once the command executes.
That’s it!
What are some of the settings available in the User Rights Assignment?
User Rights Assignments are settings applied to the local device. The settings allow users to perform various system tasks, such as local logon, remote logon, accessing the server from the network, shutting down the server, and so on.
How do I add a user to logon locally?
To add a user to logon locally on a Windows server machine, follow these instructions:
Open GPMC.Navigate to the path below:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
At the location, double-click on Allow Log On Locally and add your users.
Where are User Rights Assignments stored?
You can configure the User Rights Assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment, or on the local device by using the Local Group Policy Editor (gpedit. msc).