I've come across this problem during the past couple of weeks. We have seven live TS boxes. Six of the seven servers have this problem - one remains ok. We also have a test server, which is fine. At least I have something to work on for comparison.
From what I have seen, it could be related to the local administrators group of the server. If you add a group or user requiring the ability to remote control to the local administrators group (and that group/person has the rights set up on the RDP Permissions within Terminal Services Configuration on that box) then they can start controlling people again. This is our short term fix.
As one server is working ok, I can eliminate any policies being applied - policies are still being applied to that server ok.
We did update the anti-virus to a newer version but have eliminated that aswell by removing it.
I have double checked sercurity within the likes of services, local security policies etc.
Have also double checked the hot fixes that have been applied and so on.
Just to let you know, we always use a clone for our Terminal Servers - ensuring they are all the same.

It will be a matter of time before I close in on the problem and will post on here with a possible solution/reason for you.