🟑 Medium   ⏱ 5–30 min  Last verified: 01 April 2027
Affected versions: Windows Server 2016

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Admins on Windows Server 2016 cannot use RunAs because the target account lacks ‘Allow log on locally’ or has ‘Deny log on locally’ applied, returning logon failure 1385.

Environment & Reproduction

Reproducible from a console session attempting to elevate an admin tool with a different account.

secpol.msc
Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4625)]]" -MaxEvents 20

Root Cause Analysis

Hardened baselines restrict interactive logon to specific groups, denying others by policy.

Quick Triage

Capture failure and check policy.

secedit /export /cfg C:Temppolicy.cfg /areas USER_RIGHTS
Get-Content C:Temppolicy.cfg | Select-String 'SeInteractiveLogonRight','SeDenyInteractiveLogonRight'

Step-by-Step Diagnosis

Identify which policy controls the assignment.

gpresult /h C:Tempgp.html /f
Get-ADGroupMember 'Server Operators'
Illustrative mockup for windows-server-2016 β€” error_dialog
RunAs denied dialog β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Add the account or group to ‘Allow log on locally’ and reapply policy.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

# Modify GPO via gpedit.msc - User Rights Assignment - Allow log on locally - add CORPAdmins
gpupdate /force
Illustrative mockup for windows-server-2016 β€” terminal_or_powershell
User Rights Assignment in secpol β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Use ‘Log on as a batch job’ for scheduled scenarios instead of RunAs.

# secpol.msc: User Rights Assignment - Log on as a batch job - add CORPsvc-job
gpupdate /force

Verification & Acceptance Criteria

RunAs prompt succeeds and 4624 logon type 2 events appear.

Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4624)]]" -MaxEvents 5

Rollback Plan

Revert User Rights changes if security policy review rejects them.

# Remove account from Allow log on locally via gpedit.msc
gpupdate /force

Prevention & Hardening

Document interactive logon groups and avoid ad-hoc RunAs on production.

Get-Content C:Temppolicy.cfg | Select-String 'SeInteractiveLogonRight'

Linked with JIT admin and Just Enough Administration workflows.

Related tutorial: View the step-by-step tutorial for Windows Server 2016.

View all Windows Server 2016 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: User Rights Assignment and interactive logon policies.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.