I am helping a friend on vacation. His boss called saying a new user on their SBS 2011 box can't log into their desktop - they get the 'local policy does not allow you to log on interactively'.
This is a standard domain user logging in at a DESKTOP - I know only domain admins can get onto the SBS box directly,
Looking at local policy, I see the entry log in locally has 1 user that always sits at that desk, local admins and domain admins. The add button and that screen is grey - can't add / change anything.
I wound up going into control userpasswords2 and making this user a local admin and she could get in.
How would I put comain users in the log in local screen since it's greyed out (that was local policy on that machine - and she couldn't log in on other machines either so it's likely something someone did at each machine? (to lock it to 1 user and local and domain admins).
usually domain users would be in the 'log in locally' policy for a desktop, right?
I forget - does domain group policy override local policy or vice versa?