got report that one of our users tried logging into their xp machine in windows 2003 domain and got error that local policy wont permit logon interactively. Only admin works and this was ok day before. Used gpedit to look at local security policy under user rights assignment and saw that only domain admins allowed on machine and add button grayed out so cant add any other users. Most likely this was caused by a microsoft update as i have seen it before with remote desktop getting same error after an update. Temporarily put them in domain admin group and able to get in but obviously dont wanna keep this setting. Is there a way to override the local policy with domain wide policy to allow user to get into their machine? Would removing from domain then joining again work? thanks also tried system restore but didnt work so not sure now if it was an update.