In case you're confused about the GPO setting “Allow Logon through Terminal Services” and the security group “Remote Desktop Users”, a new blog post by the Ask the Performance Team was just posted on blogs.technet.com on this subject. It provides a clear explanation on the differences and the combination of those two settings.
"...I am sure many of you are already familiar this GPO and this group. But still there has been some confusion around whether you should be using the GPO for allowing the user to RDP to the server or should be using the Remote desktop users group or both. And at times, even what to choose between them and what is the best recommended practice.
Hence I wanted to provide a short simple explanation about this group policy and the user group and how they are interrelated.
To start with, there are two types of user rights; Logon rights & Privileges. In simpler terms these are:
1) Remote Logon: rights to machine
2) Logon: privileges for access to the RDP-TCP Listener
These play the vital part in allowing an RDP session to the server.
When a user is able to validate the above two conditions successfully, only then is the user provided with a successful RDP connection to the server.
The Remote Logon is governed by the “Allow Logon through Terminal Services” group policy. This is under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
By default, the Administrators and Remote Desktop Users groups are given remote logon rights. So, users who are a part of these groups will be authorized to logon remotely to the server.
Now, if you have a user account which is not a part of the Administrators or the Remote Desktop Users groups and you go ahead and add him to the GPO for “Allow Logon through Terminal Services”, they will still not be able to create a successful RDP connection to the server. The reason being that adding a user to this GPO only authorizes him for a Remote Logon to the server but does not give him the permissions to connect to the RDP-Listener.
Now comes into play the Logon privileges for the RDP-Listener. Once the user is authorized for remote logon his privileges to connect to the RDP-Listener is verified. If the user has permissions on the listener then the connection is successful. These permissions can be verified from RDP-TCP Listener properties..."