Windows Server 2003 includes the following new User Rights options:
- Allow logon through Terminal Services
- Deny logon through Terminal Services
You can use these options to change the set of permissions a user must have to establish a Terminal Services session.
To establish a Terminal Services session, a user must have the following permissions:
- Allow logon through Terminal Services To grant a user these permissions, start the Group Policy snap-in, open the Local Security Policy or the appropriate Group Policy, and then navigate to the following location:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
- Allow logon to Terminal Server
To grant a user these permissions, start either the Active Directory Users and Computers snap-in or the Local Users And Groups snap-in, open the user’s properties, click the Terminal Services Profile tab, and then click to select the Allow logon to Terminal Server check box.
- Guest Access: Logon to the RDP-TCP connection
To grant guests Logon rights to the RDP-TCP connection, start the Terminal Services Configuration snap-in, edit the RDP-TCP so that the guest has at least Logon rights.
The pivotal difference between Windows 2000 and Windows Server 2003 is the "Allow logon through Terminal Services" user right. When you grant this user right, you no longer have to grant the user the Log on locally right (this was a requirement in Windows 2000). In Windows Server 2003, it is possible for a user to establish a Terminal Services session to a particular server, but not be able to log on to the console of that same server.
I got this information straight from the horse’s mouth.