I currently removed a hand full of people that had domain admin rights from our Active Directory. I then added those users to the Remote Desktop Users group and then updated Group Policy so that Computer Configuration\Administrative Templates\Windows Components\Terminal Services and enabled "Allow users to connect remtely using Terminal Services" I also went to Computer Configuration\Windows Settings\Security Settings\Restricted Groups and added Remote Desktop Users to the Restricted Group. After doing a GPUpdate /force on the machines, these users can not connect still. I went back to verify that the users were in the Remote Desktop Users group and I noticed they were gone. I tried to add a user again and after about 1 minute, the user was gone again.