We have 2008 and 2008R2 DCs in our environment. We have a few users who are not Domain Admins who are allowed to RDP to DCs. I don't want to get into why this is, or argue about whether it is best practice or not, that is just the situation.
For our 2008 DCs, I do not need to put these users in the Built In group "Remote Desktop Users". They are in the local security policy with the following rights: "Allow logon locally" and "Allow logon through terminal services". They are also in the terminal services configuration with full access rights. With these rights, these people are able to log onto the DCs without any problems.
For our new 2008R2 DCs, if I do not put these people in the Built In group "Remote Desktop Users", it will not work. Even if all the other settings are exactly the same. The local security policy is obviously the same, as it is set through Group Policy. The remote desktop session host configuration security settings are exactly the same on the R2 DCs as they are on the 2008 DCs. Additionally, with the R2s, I *do not* need to have the user in the "Allow log on locally" setting for the local security policy.
My question is: did something change from 2008 to 2008R2 for remote desktop access for non-domain admins?