How to Reproduce Bug with New Account
1. Create new account
2. Open account properties for editing
3. Click Remote Desktop Services Profile (do not click any other tabs!)
4. Add a Profile Path and Home folder drive
5. Click OK
6. Reopen account properties and view the Dail-in tab (now set to Access Denied)

How to Avoid Bug with New Account
1. Create new account
2. Open account properties for editing
3. Click on the Dial-in tab (only need to view the tab, no need make any changes)
4. Click on the Remote Desktop Servcies Profile
5. Add a Profile Path and Home folder drive
6. Click OK
7. Reopen account properties and view the Dial-in (still set to Control access through NPS Network Policy

After copying an account that originally had the Dial-in access set to "Allow" it retained those settings. But after changing the Terminal Services Profile Home Folder and clicking OK the Dial-in access changed to Deny Access.

Found this Microsoft KB http://support.microsoft.com/kb/317853 however it states that this was resolved in Windows 2000 SP3.  Looks like something may have caused it to become a problem again in Windows 2003 R2 SP2.

We are currently working with a Microsoft Support Analyst to remedy this.  The key to reproducing the issue is copying an account that has the Dail-in permissions set to Allow Access.  Changing the Terminal Server Profile settings on an account that was created using the New option does not have this issue.

Another KB article specifying the behavior as a bug with a workaround: http://support.microsoft.com/kb/277631

We implemented a workaround of setting all accounts from "Allow Access" to "Control access through Remote Access Policy".  Accounts copied will have this same setting which does not have the issue when changing TS Profile settings.

NOTE: The above scripting method resolved the problem in Windows 2003 and Windows 2008, but it has become a problem again in Windows 2008R2