In the first bit of your post it sounds like somebody had already configured a "Restricted Groups Policy" for the "Remote Desktop Users" group, which explains why it "emptied out". That's not a stock OS feature-- somebody configured that at some point. You got around it by either modifying the GPO that was "emptying out" the group, or by making a new GPO that applied after the existing "Restricted Groups"-containing GPO to override the setting.
The next bit-- the "You do not have access to logon to this session" bit is a bit more confusing. I've been trying to repro it on a Windows Server 2003 SP2 32-bit Std. machine for a bit now, and I can't come up with a repro condition.
If you would, open the "Terminal Services Configuration" tool on the machine, highlight the "Connections" node in the left pane, and bring up the "Properties" of the "RDP-Tcp" object in the right pane. Have a look at the "Permissions" tab and see that "Remote Desktop Users" is granted "User Access" and "Guest Access" (the stock permission).
Failing that, I'm not sure w/o being able to repro it. What service pack level are you running of W2K3?
(BTW: I've got a similiar background to you-- I started on Unix and moved over to Windows grudgingly. Group Policy is incredibly useful once you get over the quirks. I script Windows machines like a mad man because I can't stand to do the same work more than once. The built-in Windows command shell is utterly inferior to any Unix shell, but it can be coaxed into performing most tasks...)
Edit:
Oh-- they're Windows XP machines. I didn't realize that. That changes things. I thought these were servers you were trying to access w/ RDP.
My psychic powers say that you're seeing the "You do not have access to logon to this session" message because there is someone already logged-on to the PC and the user logging-on with RDP doesn't have "Administrator" rights on the Windows XP machine. Windows XP can only host one RDP / console session at a time, and if someone is already logged-on only an "Administrator" user can remotely "bump them off" with RDP. All other users attempting to logon w/ RDP will receive the message you described above.
How does that look?
To investigate the "Restricted Groups" policy more, run the RSoP tool on the WinXP clients and see if there are any GPOs enforcing a "Restricted Groups" setting on "Remote Desktop Users". In a network I setup, for example, there would be. It's a common way to grant groups access to RDP on clients.
The latter means for "computer -> Remote Settings -> Select Users " populates the specific machines remote desktop users group. By default the remote desktop users group has rights to logon through RDP to the server.
Your GPO method should have worked. Are you sure you didnt have another GPO enforcing a different list of users/groups allowed to logon through terminal services?
I suggest controlling the membership of the remote desktop users through group policies. Group policy preferences makes this easy. See http://support.microsoft.com/kb/943729 for details of the CSE and XMLLite (for 2003) that you need to install on the server you want to RDP into. The create a GPO (or edit an existing one) to add a pre-defined group into all intended server's remote desktop users group using group policy preferences.
1. navigate the computer config/preferences/local users and groups.
2. Add new group
3. choose remote desktop users (builtin) from drop down
4. Choose user/group to be added
Above only sorts remote desktop users group membership.You also need to separately enable RDP on the machine. Enable the "Allow users to connect remotely using remote desktop services" in computer configuration\policies\administrative templates\windows components\remote desktop services\remote desktop session host\connections
.
You'll also likely need to enable the firewall rules too. You can use computer configuration\policies\Windows Settings\Security\Windows firewall with advanced security\Windows Firewall with Advanced Security - LDAP://cn={GUID}
to enable the relevant profile and use the rule editor to create a rule using pre-defined service for remote desktop. this handles windows 2008 and above.
For 2003, use the computer configuration\policies\administrative templates\network\network connections\windows firewall and then based on relevant profile the exception for remote desktop traffic.
Best Answer
You can use Group Policy Preferences to update the local "Remote Desktop Users" group to contain whatever users you want it to.
The screenshot below shows modifications to the Administrators group, but you can select any built-in group you want, including Remote Desktop Users.![GPP Screencap](https://i.stack.imgur.com/C1vVC.png)