Denying/Allowing Remote Desktop Users in Windows 2008 Server R2

The latter means for "computer -> Remote Settings -> Select Users " populates the specific machines remote desktop users group. By default the remote desktop users group has rights to logon through RDP to the server.

Your GPO method should have worked. Are you sure you didnt have another GPO enforcing a different list of users/groups allowed to logon through terminal services?

I suggest controlling the membership of the remote desktop users through group policies. Group policy preferences makes this easy. See http://support.microsoft.com/kb/943729 for details of the CSE and XMLLite (for 2003) that you need to install on the server you want to RDP into. The create a GPO (or edit an existing one) to add a pre-defined group into all intended server's remote desktop users group using group policy preferences. 1. navigate the computer config/preferences/local users and groups. 2. Add new group 3. choose remote desktop users (builtin) from drop down 4. Choose user/group to be added

Above only sorts remote desktop users group membership.You also need to separately enable RDP on the machine. Enable the "Allow users to connect remotely using remote desktop services" in computer configuration\policies\administrative templates\windows components\remote desktop services\remote desktop session host\connections.

You'll also likely need to enable the firewall rules too. You can use computer configuration\policies\Windows Settings\Security\Windows firewall with advanced security\Windows Firewall with Advanced Security - LDAP://cn={GUID} to enable the relevant profile and use the rule editor to create a rule using pre-defined service for remote desktop. this handles windows 2008 and above.

For 2003, use the computer configuration\policies\administrative templates\network\network connections\windows firewall and then based on relevant profile the exception for remote desktop traffic.

Create a group policy that uses the restricted groups feature to place "Domain Users" in the "Remote Desktop Users" group. Apply that policy to your server, overriding the local policy. Log in as domain admin and make sure the policy refreshes. When you examine the remote desktop users group, verify that "domain users" has been placed in this group. Now, log off and test as one of your domain users.