The user has not been granted the requested logon type at this machine

Question

I have created an ASP.Net application which impersonates the user in order to create an AD group, and then launches a powershell process as the user (separately from the impersonation).

For some reason the group creation works fine and shows as success in the Event Viewer, but when it tries to run the PowerShell script, I get the following error:

The user has not been granted the requested logon type at this machine.

The following is the code I am using which is failing:

SecureString securePassword = new SecureString();
        foreach (char c in model.AdminPassword)
        {
            securePassword.AppendChar(c);
        }
        PSCredential psCredential = new PSCredential("CONTOSO\\" + User.Identity.Name, securePassword);

        ProcessStartInfo info = new ProcessStartInfo("c:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", "c:\\PowershellScripts\\EnableDL.ps1 -dlName '" + model.Name + "'");
        info.UseShellExecute = false;
        info.RedirectStandardOutput = true;
        info.RedirectStandardError = true;
        info.RedirectStandardInput = true;
        info.CreateNoWindow = true;
        info.Domain = "CONTOSO.COM";
        info.UserName = User.Identity.Name;
        info.Password = securePassword;

Is there any way to bypass this error? I would rather not fiddle with the security policy on the server ideally, and this application needs to be used by around 30+ users.

Answer 1

I have managed to fix this myself. You need to go to Start->Administrative Tools->Local Security Policy.

Navigate to Local Policies->User Rights Assignment->Allow Log On Locally, and add the usernames of the accounts/groups which require access.