Cannot logon with domain user account

[DMix]

Add domain account to local machine "Users" group and
attempt to log in. Get error message "The Local Policy
of this system does not permit you to log on
Interactively".

Adding account to local "Administrators" group will not
produce problem.

Go to "Local Security Settings-Local Policy-User Rights
Assignment" and all options (specifically Log on Locally
properties) are greyed out. These settings get turned
off once computer is added to a domain and removing from
a domain will not return these setting options!

Bug with XP - unable to work around.
Any suggestions greatly appreciated!!

 

[David Jones]

It's not a bug.
On your domain controller, you need to change the Domain
Security Policy (in administrative tools) to allow Domain
Users to log on locally.
Right now, the DC is telling all machines in the domain
what policy they should set. You need to change what the
DC is telling the machines, hence the above.

 

[Roger Abell]

As indicated, an AD enforced GPO is controlling
the group policies of the local machine. This GPO
may or may not be set at the domain level.
After the machine is removed from domain, and then
rebooted a couple times, is the old domination of the
local policy not cleared ?