We have just setup a complete new environment consisting of two Domain Controllers (2008 R2) and a few member servers (2012 R2).
We have manually enabled RDP on all servers and use our Domain Admin accounts to log remote via RDP to the servers.
Next, we also wanted to grant a specific security group the right to logon remotely. In order to achieve this we added this group in Default Domain Policy / Local Policies / User Rights Assignment / Allow Logon through terminal services". As soon as the policy change took effect, no one could logon remotely, not even Domain Admins.
After some research we understood that the correct way of doing this is to just add the group to the builtin AD group "Remote Desktop Users" group. So we removed the setting in the GPO and now domain admins can RDP to member servers but not Domain Controllers.
We have verified using rsop.msc on the domain controllers that the setting is in fact not set but we can still not RDP to the domain controllers.
All servers are using swedish versions of Windows except one of the DC:s that have english version (no idea why).
Thanks, Jonas