Are those the local or effective settings?? They need to show as the
effective settings. Also make sure that there are no entries in effective
settings for deny logon locally. If it still does not work, try adding
everyone to the logon locally user right. If the computers are in the
default domain container, modify the Domain Security Policy so that
users/administrators/everyone are in the logon locally user right and add
just the guest account to deny logon locally. Then run " secedit
/refreshpolicy machine_policy enforce " on the domain controller and reboot
a domain workstation to see if that helps. In Active Directory Users and
Computers, look in the domain container by right clicking the domain name
and select Group Policy. If there is more than one GPO present, the one at
the top of the list takes precedence and you should check all of them to see
if they are configured to restrict user rights. In a default installation
only the default domain policy is present. If the computers are not in the
default container you will also need to check any Group Policy Objects in
the Organizational Unit they are in. Since apparently you can logon , you
can use the gpresult support tool to see what computer policies are applied
to the computer and the last time the policy was applied. The support tools
are on the install cd in the support/tools folder where you need to run the
setup program there to install the set of support tools. I would also run
netdiag on one of your domain computers to see if any problems are reported
such as dc discovery, dns, kerberos, trust/secure channel. Review the link
below on Active Directory DNS to make sure your dns is set up correctly for
the domain. If it is not, problems can ensue such as changes to domain Group
Policy not propagating properly to domain computers and user.--- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382