There are a few places that need to be configured properly for TS to work.
1) The «allow logon through terminal services» right must be assigned to the user or group in question. This can be done through group policy or local policy. By default, remote desktop users is granted this right locally, you can do the same with a domain policy for good group organization.
2) Permissions to the RDP protocol must be added in (admin tools->Terminal services config->connections->RDP-tcp properties->Permissions). Usually remote desktop users is already listed but you may have to add it.
3) The «HKLM\system\currentcontrolset\control\terminal server\fDenyTSConnections» dword must be set to «0». This can also be accessed by right clicking «my computer» and choose properties, go to the «remote» tab, and check the box for «enable remote desktop on this computer.
Typically, I add «authenticated users» to the local remote desktop group, then grant remote desktop users permissions to the RDP-tcp protocol. I then grant the «allow logon through terminal services» right via group policy to the terminal server(locally or domain) to «authenticated users». This method allows all users to logon, you would have to use a security group if you only want to grant specific users access.
You can define the permissions for the user’s/groups however you want. It is usually easiest to add the users you wish to allow to the domain group «remote desktop users», add the domain group to the local «remote desktop users» on the server for good measure, then reference the domain group in RDP permissions and the «allow logon..» policy setting.
Let me know if this helps.