By default only account operators, administrators, backup operators, print operators, server operators, Internet guest account, and Terminal Services user account are assigned the right to log on locally to a Windows-based domain controller.

Microsoft describes in detail how to edit the Default Domain Controllers Policy from the Microsoft Management Console in "Assign 'Log On locally' Rights to Windows Domain Controller" (MS KB Article Q234237). But what escaped me was to make the changes take effect immediately. This console command makes the changes take effect immediately:

secedit /refreshpolicy machine_policy