Hello. I was having problems logging into machines with any domain user account. I needed to explicitly add a domain user to a machine before that user could log in.
I adjusted an old Default Domain Policy so that the setting for "Allow log on locally" is for Domain Users, Domain Admins and local Admins. (It was lacking the "Domain Users" group and I believe this is what was creating this situation)
At first, this setting seemed work and I could go to a machine and domain users could log in no problem. Then, it seemed to be randomly, it stopped working. When I checked the GPO on the server, the policy was still the adjusted one. However, when logging in locally, I noticed the local security policy had reverted back to the old one and disallowed domain users to log in without being added explicitly.
I have researched this ad nauseum and have not gotten too far with this. I have removed and rejoined the domain, I have tried to create a new default domain policy etc... I have looked into the registry but don't understand too much about that, hoping there was a way to change a setting or find the old policy and destroy it.
Client is Windows 7 and Server 2008 R2. Any other ideas?