i've just re-built my win2k domain after a dc crash, & the "domain users" group is unable to logon to any of my wkstns. they're getting eventid: 533 - your user acct is not configured to allow you to use this computer, please find another.
 
so, i checked my domain security policy, under user rights assignment to see if the correct setting was made. the following appears under the "logon locally" setting:
 
Administrators
NAME\Domain Admins
NAME\Domain Users
SYSTEM
SERVICE
 
(**NAME, being the domain name)
 
so, i checked their individual user accts under the "account" tab to make sure that the default setting under the "logon to" button was still set to "all computers," which it was. then i checked the individual wkstns to make sure that the domain policy was being applied. both Domain Admins & Domain Users were found under each wkstn's "logon locally" setting under their Local Security Policy. i then enabled NetBT on each of the wkstns, to see if that would help, but it didn't.
 
in addtion to support.microsoft, & microsoft.com/technet searches, i've run a forum search & found this post:
 
http://www.ntcompatible.com/vb/showthread.php?s=&threadid=18209&highlight=event+533
 
unfortunately, it did not shed any light on my situation, however, it seemed that his problem was solved by manipulating this "logon locally" setting. however, the setting that he said he switched seems to be correctly applied in my case.
 
i haven't applied any secuity templates, & the "logon locally" setting is one of only a few domain user rights assignment policies that i've defined. IPSec is not running, nor are any IIS or terminal services.
 
ONE VERY STRANGE THING: ALL users can logon to my sole DC. only the wkstns are giving me this problem. i also checked for differences between my domain security policy, & my domain controller security policy, & could find no glaring differences.
 
i'm tempted to "undefine" the "logon locally" user right assignment altogether, but would like some security in the domain. PLEASE HELP