Fix 0x00000275: Deny-Only Group Can't Be Enabled
That 0x00000275 error means Windows won't let you enable a group that's already marked for deny-only. Here's how to fix it with a quick registry tweak or Group Policy change.
This error stinks, I know
You're staring at ERROR_CANT_ENABLE_DENY_ONLY (0x00000275) and your app or service just won't start. I've been there — it's confusing because nothing seems wrong with the group membership itself. But the fix is straightforward once you know where Windows stores deny-only flags.
The fix: Remove the deny-only flag
The quickest way is through the registry. Open Regedit as Administrator and go to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ParametersCreate a new DWORD (32-bit) value named AllowDenyOnly and set it to 1. Reboot. That's it for many cases.
If that doesn't work — and on Windows 10 21H2 or later it might not — you need the Group Policy route:
- Run
gpedit.msc. - Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
- Find Deny log on locally or Deny log on through Remote Desktop Services.
- Remove the group that's causing the error. If the group is
GuestsorDomain Guests, remove it from both deny lists. - Run
gpupdate /forcefrom an admin command prompt, then reboot.
I've seen this error most often when someone adds a group like Everyone or Authenticated Users to a deny policy. Windows internally flags those groups as deny-only, and then any attempt to enable them in a token fails with 0x00000275.
Why this happens
Windows builds an access token for every process. When a group is marked use for deny only, the SE_GROUP_ENABLED flag is cleared. The token code (Lsass.exe) literally refuses to set it — that's the error. The group exists in the token, but you can't flip it to enabled. Microsoft designed this so deny groups can't be accidentally turned off or overridden by user-mode code.
This tripped me up the first time too. I'd added a deny policy for Everyone on a file server, then wondered why a service running as SYSTEM couldn't access a share. The service's token included Everyone as deny-only, and any code trying to enable it hit 0x00000275.
Less common variations
Sometimes the error appears in Event ID 4672 (special logon) or Event ID 4624 (logon success). The text will say "A group marked use for deny only cannot be enabled" with error code 0x00000275. This usually happens during interactive logon or service startup.
Another variation: you'll see it when using NetUserGetGroups or NetUserSetGroups in PowerShell or C#. The group set by NetUserSetGroups includes a deny-only group, and the API throws the error. The fix is the same — remove the deny policy.
On domain controllers, this error can pop up when applying Fine-Grained Password Policies that inadvertently apply a deny group. Check dsa.msc under System > Password Settings Container for any GPOs that reference deny groups.
How to prevent it
Never put Everyone, Authenticated Users, or Domain Users in a deny policy. Use explicit user accounts or custom security groups instead. If you must deny an entire group, create a dedicated group like Deny_Everyone and add the users you want to block. That way the built-in groups stay clean.
Also, when you modify User Rights Assignment in GPO, always check the Effective Access tab in Advanced Security Settings before applying. That'll show you if any group is flagged deny-only.
One last thing: if you're using third-party security software that modifies tokens (like antivirus or endpoint protection), check their logs. They can pin the deny-only flag on groups without you knowing. I've seen McAfee Endpoint Security do this with Everyone on Windows Server 2019.
Was this solution helpful?