Every once in a while - usually on smaller companies who only have a single server - you may need to permit a particular user or group permission to log onto the domain controller. Naturally, this is a bit of a security risk. But let's face it - not everyone can afford a new server just to overcome this sort of issue.
In that case, here's what you do. Load Domain Controller Security Policy, then navigate to Security Settings -> Local Policies -> User Rights Assignment -> Log on Locally. Change this setting to include the user or group you'd like to add.
Here's a hint: Add a group instead of a user. Just make sure the users who need to log on locally are members of that group. That way, if someone leaves, you can simply remove them from the group - no need to worry about updating the policy again.