Can I "allow logon locally" for ALL local accounts and some domain accounts?
Solution 1:
This is much simpler to achieve than I originally thought: all you need to do is to grant the "Allow log on locally" right to Local account
.
Local account
is a well-known security identifier (S-1-5-113) which is similar to a group, except that membership is implicit based on a rule: in this case, all local accounts are members.
If you also grant "Allow log on locally" to a local group that you create, you can use group policy with item-level targeting to add the domain users that should have logon access to that group.
So I suggest that you set your group policy to allow logon access to:
Administrators
Local account
Authorized domain users
Solution 2:
Those local accounts need to be able to log in, and they are not necessarily in any special, local group.
All local user accounts will always be in at least one of these two local groups:
Administrators
Users
So adding those two groups to the "Allow Log On Locally" user right will suffice to ensure that all local user accounts can log on locally.