I'm trying to set up a GPO to lock down a 2012R2 Remote Desktop Server.  I have followed the basic outline of steps one would take including creating a Security Group in AD for RDS and adding the appropriate users. Normally, I would then go into the System Properties of the RDS Host Server and add the Security Group for RDS into the Remote Users and it should then only allow those users to log in to the RDS Server. Unfortunately, I can ONLY get users to log in if I ALSO add the Domain Users AD Group to the Remote area of the System Properties Remote. This kind of defeats the security GPO when an average domain user can log in to it and get more access than those in my Security Group for RDS. I have literally checked every place imaginable, in the RDS Setup, in the Registry, GPO Security, and compared it to my other installs that I have set up the same way that are working. I cannot seem to find out WHY it will ONLY let users log on if I add Domain Users Group to this area.  Domain admins are not impacted.

Can someone theorize what might be happening here?