I have a user who is receiving the following message when trying to access a Server 2008R2 machine via RDP.
"To log on to this remote computer, you must have Terminal Server User Access permissions on this computer. By default, members of the Remote Desktop Users group have these permissions. If you are not a member of the Remote Desktop Users group or another group which has this right, or if the Remote Desktop Users group does not have this right, you must be given this right manually."
This user is in the proper group which does have the proper rights. Additionally I've given this person the rights explicitly and set up a group policy pointing at an OU into which I've placed this user to and granting this right.
I've created a test user with the same rights and memberships as this user and that user predictably can't get in either. However if I grant this person membership into the domain admins group they can get in fine. Of course that's not an option. I see nothing in any logs.