At a client of ours they started getting login errors saying that a local policy restricts them from logging in locally. This all started after two things happened. Firstly I installed WSUS on a dedicated server and setup group policy so that the clients download their updates directly from that server (nothing special) and I did this a million times on a bunch of clients and I never have any problems with it. Secondly I created a security policy hash rule to block all windows games. Again nothing special. Any speculation regarding this will be helpful. If your guys need a full list of all the policies and what I set it to then let me know!