Event 533: User not allowed to logon at this computer

Archived from groups: microsoft.public.win2000.security (More info?)

I am the system administrator of 400 windows 2000 professional in a windows
2000 AD. From time to time, 1 or 2, may be 10 computers suddenly shows this
error message "User not allowed to logon at this computer" or something like
that, when a normal domain user tries to log on.

The same user is able to log into other workstations that are in the same
OU.

Reboot does not solve the problem. Reset the computer account does not solve
the problem. Leave the workstation for a few days does not solve the
problem.

Disjoin the workstation from domain and rejoin it back solve the problem.

Users belong to the local administrators group are able to log onto the
computer.

I used the domain admin to logon and checked the local security settings. I
found nothing wrong. I checked the local groups and found nothing wrong too.
When I checked the event log, there were 533 events generated everytime a
denied logon was attempted. Other than that there was nothing suspicious. I
used "netdom" to verify the security channel and it returned an ok to me. I
had turned off the workstation maintenance policy ages ago. That did not
help.

Any idea?

Jeremy