"You cannot log on because the logon method you are using is not allowed on this computer"

This is the error I am getting when I try to log in on the DC with a user which is not a member of the Domain Admin group. If I log in with the domain Administrator user and assign the domain admin group to the user it logs in normally. I have tried to create a different group but still the same.

I think that the user has to be in the domain admin group. It is a domain controller, so why would you want a non-admin to log onto a domain controller? Can you tell me whether this is a Terminal Server in Application mode? If that is the case, then in order to allow a non-domain admin account to logon on to a Terminal Server, the account would need to be in the Terminal Services group, have log on locally rights, as well as log on interactive rights?

The easiest method to allow non-priviledge users to log onto a Domain Controller is to add them to the "Remote Desktop Users" domain global group. In general, it is not suggested to use it, although, primarily due to security implications.

I assigned "Remote Desktop Users" to a user account but the user is still not able to login. I had a look into Local Security Policy->Security Settings/Local Policies/User Rights Assignment/Allow log on locally, Remote Desktop Users is not in the list. The Add User or Group button is disabled

Please advise what security group should I give to the user so that the user can login to server to perform some administrator tasks such as reset password.

I think that a non-domain admin would not need to logon to a domain controller to perform such tasks as resetting password. You can try to install the adminpak.msi tools on the users workstation and once it is installed, instruct the user to simply run Active Directory Users and Computers, select the OU they have been delegated permissions, and they will be able to change or reset password.

Thanks for your simple step by step explaination.

I created a MMC added with snap shots Event Viewers and Active Directory Users and COmputers on my AD Domain Server 2008, save it as Users mode-Full access (for testing purpose).

I copied the MMC to another non-AD Server 2008 which is login as the same domain. I opened the MMC, i can view the event viewers. But when i click on Active Directory Users and COmputers on the left panel, "MMC could not create the snap-shot" was shown on the right panel.
Please advise.

Also, if i really want to create a user with "Remote desktop" security group, but that security group is not listed in the local group policy, is there a way?

Thanks