I recently upgraded our second server to be an additional Active Directory computer. When I did this all of the user that were in the group Domain Users would get the error message "The local policy of this system does not permit you to logon interactively" when they tried to log into the server through Terminal Services. I know that I could add them to the administrator group and they wouldn't get this message, but I don't want to have to do this.
I have gone into gpedit.msc and for the policy Log On Locally, I have added the group "Domain Users" however, the Effective Settings, has this policy disabled for Domain Users. Where is this effective setting coming from?