When you add a group to the Deny Logon Locally user right on Windows 2000 or Windows XP, members of that group can NOT log on to the configured computer. They receive:
The Local policy of this system does not permit you to log on interactively.
If this happens to an administrator, remember that the denial of a right takes precedence over a right that is specifically granted. If the administrator is also a member of the group that you specifically denied, they can NOT log on.
To resolve this problem, log on to another client with Domain Admin rights and use Ntrights to remove the deny right:
ntrights -m \\computer -u <group or user to remove> -r SeDenyInteractiveLogonRight
NOTE: See tip 3361.