logon failure and requested session denied

In this article, we shall discuss how to fix “Logon Failure: the user has not been granted the requested logon type at this computer”. Here is a similar article on this topic “Error 1385: The user has not been granted the requested logon type at this time“. I ran into this error during the cause of testing SystoLOCK as discussed ‘Protect your Windows Devices with MFA with SystoLOCK“, and “Set up Microsoft PKI (ADCS) for SystoLOCK via PowerShell“.

The error “logon failure” appears on Windows systems when a user (or service account) tries to log on. But the account does not have the right logon permissions assigned through Local Security Policy or Group Policy.

Each logon attempt is categorized into a logon type and will be displayed in the Windows Event log. Here is a blogpost on “The different Windows Logon Types“. Below are some common logon types error(s):

2 = Interactive (local logon)
3 = Network (e.g., accessing a shared folder)
4 = Batch (scheduled tasks)
5 = Service (Windows service startup)
7 = Unlock (workstation unlock)
10 = Remote Interactive (RDP)

Also, see Protect Remote Desktop credentials with Windows Defender Remote Credential Guard or Restricted Admin Mode, and Guide to Remote Desktop Connection Properties for Secure Access.

This error occurred when I was testing SystoLOCK passwordless authentication as mentioned above previously. In my case, despite configuring the necessary policies, RDP was not enabled. This is because, a user trying to RDP requires Allow log on through Remote Desktop Services. But it was not configured.

requested login type has not been granted

You may wan to lean about the differences between “Local Security Policy vs Local Group Policy“. Also, see All about Group Policies: Group Policy GPUpdate Commands. Also, see how to enable FIPS mode on Windows Server.

Step 1: Group Policy Restrictions

A Group Policy Object (GPO) may have restricted specific users or groups from using the required logon type. You can resolve this issue quickly by modifying the account’s rights in the Local Security Policy or via the Group Policy Management Editor.

Local Security Policy (for standalone systems): secpol.msc → Local Policies → User Rights Assignment

Group Policy Management (for domain-joined systems): Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment

If you also want the user to logon locally, you can add the user or group to the “Allow log on locally”. But, I am more concerned with the policy to “Allow log on through Remote Desktop Services” as shown below.

I will have to add the user or group here.

As you can see, I am adding a test user called “Matthew tester”.

The user has been added. Click on Ok to close this window.

Click on OK again to close this window after confirming that the user has been added.

Please, see how to troubleshoot Server Certificate could not be updated: Private key does not match, and how to Fix Error 0x87E10BC6 on a PC running Windows non-core Edition. Also, see “Merits and demerits of Local System Account and Service Logon Account“.

How to fix “The requested session access is denied”

When the above policy is configured, you will have another error when accessing with the user that the requested session access is denied.

This message appears is prompted when the account you are using to access does not have the correct rights to start or connect to a session on the target PC. It is very similar to “Logon Failure: User has not been granted the requested logon type”.

But here, the focus is session access, especially with Remote Desktop Services. Please, see The logon attempt failed for the remote desktop connection.

To fix this, we will have to enable Remote Desktop as shown in the image below. Also, see Auto Logon Error “Username and password specified is not valid”.

I hope you fund this article very useful on “Logon Failure: User has not been granted the requested logon type”. Please, feel free to leave a comment below.