Access issues on TS Web Access

Hello. I have migrated a client from a 2003 domain to a 2008 domain.

We have:

2 DCs
2 Term Servers
1 TS Gateway
1 TS Broker
Many thin clients and some PCs/laptops.
Some home/remote users

All of the servers are Windows Server 2008. Some are 32 bit, some are 64 bit.
The domain mode is 2008 Native. All of the above servers are brand-new, w/ clean installations of the 2008 OS.

The gateway and broker are the same server. The license server is the first TS.

I have successfully setup and configured the TS Gateway and have several users who can connect to the GW and launch the apps. However, I have a few random users who cannot launch any of the remoteapps.

They receive the following error: "Windows cannot start the remoteapp program. The following RemoteApp program is not in the list of authorized programs: Calculator. For assistance, contact your system administrator"

Also, I used Calculator as a test. It doesn't matter if it's an Office app, utility, or RDP link. They all get the same error. Once I click the okay button, the session seems to try to continue to connect anyway, and then I get the window that says the connection has been lost. Other times, I get a small window with the Server 2008 logon screen.

Some additional info: The site has a paid-for SSL certificate and is working properly (other users can connect just fine). One of the user accounts we have had trouble with is in the same group as the rest of the users, but is also an administrative user. We have tried from several different physical remote locations on several different comptuters. Some of the OSes we have tried this from are Windows XP Pro SP3 (RDP 6.1), XP Home Edition, and Linux (Fedora 10). The same user is able to log in to the term servers just fine. He is also able to log into the management server remotely as well.

All current patches and recommended updates have been installed. Access has been tried with both firewall on and off. It's odd how other users can connect without any issue at all, but not a few different accounts. One of the other accounts is a non-administrative account. If I log in as administrator, I can also access the apps.

Could anyone assist me in troubleshooting this issue? I would be very grateful.

Thank you,
Dave

Edit:
After reviewing some of the logs, it seems like this entry in the security log is generated when these failures are occuring:

An account failed to log on.

Subject:
 Security ID:  NULL SID
 Account Name:  -
 Account Domain:  -
 Logon ID:  0x0

Logon Type:   3

Account For Which Logon Failed:
 Security ID:  NULL SID
 Account Name:  (TSG server name)$
 Account Domain:  (Domain Name)

Failure Information:
 Failure Reason:  An Error occured during Logon.
 Status:   0xc000006d
 Sub Status:  0x0

Process Information:
 Caller Process ID: 0x0
 Caller Process Name: -

Network Information:
 Workstation Name: (TSG Server Name)
 Source Network Address: 10.x.x.x
 Source Port:  56673

Detailed Authentication Information:
 Logon Process:  
 Authentication Package: NTLM
 Transited Services: -
 Package Name (NTLM only): -
 Key Length:  0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
 - Transited services indicate which intermediate services have participated in this logon request.
 - Package name indicates which sub-protocol was used among the NTLM protocols.
 - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.