Domain Users receive "local Policy of this system does not allow you to log on Interactively"

Good evening everyone,

I've been working on group policies and somewhere I've messed up.
First I want to say that I've read through a few pages of current topics but nothing has helped so far.

What I've got is this: with the following OUs.  General Users, Information Systems, and Restricted Internet Access.  I've moved the majority of the users to General Users and given it a gpo named general users.  Same type thing for the IS OU and the Restricted Internet Access OU.  

I moved the users to the general users OU this morning.  Well sometime after lunch, some people tried to log back in [on a domain PC-not the domain controller] and received the above error.  If I add them to Domain Admins [which I did due to the nature of our work but of course I don't want to keep them as such]

I've looked at the deny logon locally and the allow logon in the Default Domain Controllers policy and they looked fine.  [Well domain users was not in the allow-I added it-and only one thing was in the deny {domain.SUPPORT_388945a0}

I'm sure I've left some fital info out so please ask questions...  Also I know very little about policies so please bear with me.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mbarnesseoAuthor Commented:
Well thanks to the powers that be and my own stupidity I think it is fixed.  I would like to keep this open for the same amount of points.  I think - think I say- that I shouild of ran the secedit /refreshpolicy machine_policy /enforce.  [Doesn't changes in domain controller policy take awhile to trickle down?]

Bonus question:

I've been trying to use GPOs to limit internet access.  I've read a lot of the posts about the subject and decided the cheapest and easiest course of action for what I want is to use the 'fake' proxy server.  However, I do want them to get to a few sites that they use for work.  Unfortunately it seems that the exception list is limited to the number of characters or entries.  Is there a way to increase that or have the GPO look at a text file?

I know... using an actual proxy server would be the best way... but this company will not spring for one.

thanks again

You could use a Proxy Auto Configuration (pac) script, which would return "direct" for any allowed site, and a fake proxy for everything else.
Navigator Proxy Auto-Config File Format

Maybe of interest, here's a site that offers a pac script that prevents downloads from ad servers:
Bust Banner Ads with Proxy Auto Configuration

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mbarnesseoAuthor Commented:
Anyone else have any suggestions?  I want to reward points on Monday...


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.