Users who do not have the "Log On Locally" right cannot remotely connect to a computer that is protected with the Windows Logon Agent via RDP, even if they have the correct permissions for a network logon.
The Windows Logon Agent and Windows Credential Provider handles remote connections to a domain controller as a local logon process. Whether a session is local or remote, it will require local connection privileges.
- Assign the user the "Log On Locally" right using Group Policy, or add them to a group that has that right. Instructions on doing this are available here: (Server 2003) http://technet.microsoft.com/en-us/library/cc756809(WS.10).aspx (Server 2008) http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx.
- Run "gpupdate /force".
- Reboot the Domain Controller.
Windows Logon Agent and Windows Credential Provider