Also check "security settings -- local policies -- user rights -- allow log on through terminal services" and the "deny" user rights for these rights. Are both administrative templates -- system -- remote assistance -- solicited remote assistance and administrative templates -- system -- remote assistance -- offer remote assistance settings properly configured?
Have you waited or used gpupdate to speed the processing of Group Policy application? Changes made in GPOs must replicate to domain controllers and then be downloaded to clients. The time that this will take depends on your network and on replication latency. It is also dependent on the client computer authenticating to the DC.
Use GPMC; first to evaluate your domain policy (only those policy settings set will be shown in the settings page ... perhaps you can more easily see a setting that may be interfering) and second to do a Group Policy results ... if the settings all look correct, is the client getting the policy downloaded? Is it being modified by a GPO set on an OU?
The dcgpofix.exe tool is a tool that may be used to restore the domain Group Policy. However, you should use caution using the tool, because it cannot restore your default settings exactly. See Microsoft Knowledge Base article 833783 for more information.
Also consider these best practices:
2. Never directly modify the domain default GPO or the domain controller default GPO. Instead, make changes to a new GPO (then it's easy to just delete the GPO).
This was first published in October 2004