When managing standalone Windows machines at scale, we often need to automate security policy modifications. The "Deny logon locally" policy is particularly sensitive as it controls interactive login rights. Here's how to handle this through batch scripting without manual GUI intervention.

The secedit.exe utility provides the most robust method for policy automation. Here's the complete workflow:

@echo off
:: Export current policy
secedit /export /cfg current_policy.inf /areas USER_RIGHTS

:: Add user to deny local login
echo SeDenyInteractiveLogonRight = %USERDOMAIN%\%USERNAME% >> current_policy.inf

:: Apply modified policy
secedit /configure /db temp.sdb /cfg current_policy.inf /areas USER_RIGHTS

:: Cleanup
del current_policy.inf /Q
del temp.sdb /Q

For modern systems, PowerShell offers better error handling:

$policy = Get-LocalPolicy -Area USER_RIGHTS
$policy.SeDenyInteractiveLogonRight += ",NewUser"
Set-LocalPolicy -Policy $policy

• Always test policies in non-production first
• Account for existing policy entries (comma-delimited format)
• Handle 32-bit vs 64-bit system differences
• Consider creating system restore points before batch deployment

For large deployments, combine with PSExec for remote execution:

psexec @computerlist.txt -u admin -p password -h -n 5 -d script.bat

When managing multiple standalone Windows systems, programmatically modifying local security policies becomes crucial for consistent configuration. The specific requirement to add users to the "Deny logon locally" policy across hundreds of non-domain-joined machines presents unique technical challenges.

The Windows-native secedit.exe utility provides the most robust command-line interface for security policy modifications. This approach works on all modern Windows versions without requiring additional installations.

@echo off
:: Create temporary INF file
echo [Unicode] > temp.inf
echo Unicode=yes >> temp.inf
echo [System Access] >> temp.inf
echo SeDenyInteractiveLogonRight = %1 >> temp.inf

:: Apply the policy
secedit /configure /db temp.sdb /cfg temp.inf /areas USER_RIGHTS

:: Cleanup
del temp.inf
del temp.sdb

For systems with PowerShell available (Windows 7+), this provides more flexibility:

$user = "Domain\UserName"  # Replace with actual username
$tmpPath = "$env:temp\secpol.inf"

secedit /export /cfg $tmpPath
(Get-Content $tmpPath).Replace("SeDenyInteractiveLogonRight =", "SeDenyInteractiveLogonRight = $user") | Set-Content $tmpPath
secedit /configure /db "$env:temp\secedit.sdb" /cfg $tmpPath /areas USER_RIGHTS
Remove-Item $tmpPath

• Always test on non-production systems first
• Handle error checking in your batch script (verify secedit return codes)
• Consider creating system restore points before mass deployment
• For mixed environments, include architecture checks (32-bit vs 64-bit)

When deploying to hundreds of machines:

1. Package the batch file with required dependencies
2. Implement logging to track execution status
3. Schedule execution via task scheduler if immediate application isn't required
4. Consider using PDQ Deploy or similar tools for large-scale distribution