"There are also 2 different Remote Desktop Users groups. There is a "local" Remote Desktop Users group on member servers, and then there is also a "Domain Local" Remote Desktop Users group on Domain Controllers. The latter is not assigned the right to logon through Terminal Services by default.
You could try editing this policy setting in your main GPO
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
In the right-hand pane, locate the entry named "Allow Log on through Terminal Services" and double-click on it.
Click "Add User or Group.."