Login to computer denied for new OU and GP

[PreviousPoster]

A bit if background first:

I am playing around with OU's and Group Policies at the moment, trying to get my head around the options and setup etc.

I have six or so computers on the domain, and have connected a test machine on the domain. The DC is Server 2003, the test machine XP Pro.

On the Domain Controller, I have created a test OU, called 'test'. I have created a new user in that OU, called 'tester'. I have created a Group Policy, and applied it to that OU. I have not setup anything in the group policy as yet. Everything is default.

I attempted to logon to the test machine using the 'tester' account, only to get the following error message:

"the local policy of this system does not permit you to logon interactively"

I have since found out that only the domain admins and administrators have the ability to log in to the computer.

I have found the following information: http://technet2.microsoft.com/window....mspx?mfr=true
And have done as it says, yet this does not fix the problem. Only adding the user to the domain admins group fixes the problem.

Any ideas?

[PreviousPoster]

Have you run the Resultant Set of Policy Wizard in logging mode agaisnt the computer account to determine if there is any group policy object settings which could configure the Allow Log on Locally user right assignment? (Computer Configuration>Windows Settings>Security Settings>Local Policies>User Rights Assignment)

Also, is the user object 'tester' configured to only logon to specific workstations? This is available from the Account tab from the user object.

What happens if you add the Domain Users security group to the Users security group on the local computer and then attempt to logon with your test account? If this still does not allow you to logon locally, add your test user account to the group policy object setting to allow log on locally.

[PreviousPoster]

Have you run the Resultant Set of Policy Wizard in logging mode agaisnt the computer account to determine if there is any group policy object settings which could configure the Allow Log on Locally user right assignment? (Computer Configuration>Windows Settings>Security Settings>Local Policies>User Rights Assignment)

Please bear with me, but im not sure how to do this?

Also, is the user object 'tester' configured to only logon to specific workstations? This is available from the Account tab from the user object.

User is set to logon to all computers.

What happens if you add the Domain Users security group to the Users security group on the local computer and then attempt to logon with your test account?

Domain users is already added to the user group on the local computer.

If this still does not allow you to logon locally, add your test user account to the group policy object setting to allow log on locally.

Not sure what this means? I have chenged the group policy to allow logon locally for that user, but still no go...

There seems to be something fishy going on?? Is there any way to tell if another group policy is overriding the one I have created and dissallowing access?

Also, shouldnt a group policy in AD override anything set on the local computer?