I added a 2012 server to an environment and ever since we can't login to the servers (both domain controllers) locally - standing in front of them. We can RDP to them just fine, but not locally.
I've done the obvious things such as insure adminsitrators, and even my specific domain\username is set to allow log on locally on both gpedit.msc and gpmc.msc (local and domain GPOs). The deny is not configured on any of them. This is what I did
Run gpedit.msc and also gpmc.msc for domain GPOs
2. Expand Windows Settings\Security Settings\Local Policies
3. Click on User Rights Assignment
4. Ensure that "Allow log on locally" includes Administrators and added a few domain admins and no one can get in locally.