I am not familiar with your set up but I might suggest that you take a look
at MSKB 278298 to see how you can use GPOs in a Terminal Server environment.
Typically one would put the computer account object in an OU by itself ( or
with other computer account objects if you have multiple Terminal Servers )
and then create a GPO using Loopback ( probably in replace mode ) linked to
that particular OU in which the computer account object is located, taking
care to remove the 'Authenticated Users' security group from the security
tab on that GPO and replace it with a 'home-grown' security group that
contains only all of the user account objects that will access the TS. Give
this group the READ and APPLY GROUP POLICY rights and away you go. The
Administrator account will not be affected by this GPO ( and, thus, have
full unrestricted access ) as it is not a member of the 'home-grown'
Now, remember how policies are applied: local, site, domain, OU.
Have you thought about using gpotool or gpresult to see exactly what is