Somehow, the user was placed on the "Deny Logon Locally" option.

[Ian Boyd]

One of our guys (a domain administrator) was placed in his own machine's
"Deny Logon Locally" list.

How could this happen?

Someone trying multiple (unsucessfully) to unlock his machine?

There is nothing in the security log.


He simple logged on as another administrator and cleared his name from the
list. But that's not the question.

How would he have gotten on there in the first place?

 

[David Jones]

A user or an application (run by anyone with Admin
credentials) put him there.

I don't know of any automatic ways that XP would do that -
without auditing rights uses and changes (not on by
default, and is rather spammy) there's not really a way
to figure it out after the fact.

 

[Ian Boyd]

I don't know of any automatic ways that XP would do that

There's not really a way to figure it out

Oh well.