Problem

Some users get denied when trying to use Windows terminal servers.

Solution

For some reason some of the users had additional attributes set in their account properties:
userParameters

Removing these unneeded attributes fixed the issue and the users could use terminal services.

root@ucs:~# ldapmodify -D "$( ucr get ldap/hostdn )" -y /etc/machine.secret <<%EOR
<USERDN>
changetype: modify
delete: userParameters
%EOR

To find all affected users you can search for

univention-ldapsearch "(userParameters=*)" dn userParameters