I have a new servers, running Windows Server 2003 R2, it is the Domain controller and the Terminal Server.
Terminal services is configured and has 6 CALs. Users that are members of Domain Users and Remote Desktop Users cannot log on through Terminal Services. Upon starting an RDP session and entering username/password they get the standard message: "To log on to this remote computer you must be granted the allow log on through terminal services right. By default the remote desktop users group ...". They are members of this group and still can not log in. I checked the rights of the RDU group and everything looks normal. In active directory the profile does NOT have the deny login to terminal servers checked.
This was not a problem in Windows Server 2003 SP1 or lesser, where it was possible to right-click My Computer and select the Remote tab and and add Remote Users there.