"Terminal Services license server group" is not added to user accounts in Windows 2003 domain

we have windows 2003 domain , have set terminal servers using windows 2008 terminal server licensing manager server in domain (we using per user licensing). license server not dc.

our problem most users not assigned licenses license server , eventviewer says:

the terminal services license server cannot update license attributes user "xxx" in active directory domain "mydomain.intern". ensure computer account license server member of terminal server license servers group in active directory domain "dirnat.intern".
if license server installed on domain controller, network service account needs member of terminal server license servers group.
if license server installed on domain controller, after have added appropriate accounts terminal server license servers group, must restart terminal services licensing service track or report usage of ts per user cals.

well, sure enough server in question not member of "terminal server license servers" group @ first added. restarted (both ts , licensing servers) , situation still same.

a little further investigation shows problem occours apx 3 out of 4 users. checking users permissions powershell get-adpermission reveals group "terminal server license servers" present special permissions on accounts works, , absent on rest. @ first looked inheritance problem, users ou shows no trace of "terminal server licensing servers"-group.  interestingly enough newly created users gets correct permissions makes me think permissions added part of default settings ad-schema. can see "terminal server licensing servers"-group present permssions on users objevt, ad schema mmc-snapin doesnt seem able list particular permissions is.

anyway - @ 1 point job must have been triggered tried set these permissions user accounts (?) in domain, must have stopped @ 1 point. there way can trig manually?  or there way done book?

i thinking set permissions manually through powershell , hope best, don't doing in case sign else wrong ad. suspect because profile-folders seem inconsistent on users (some created username.v2 while others created username.domain.v2 , users gets both of them , ts keeps alternating between them..) strange thing, perhaps connected.

anyone have suggestion here?. should fix accounts set-adpermission command or choose approach?

there seems others quite similar problems in thread:

http://social.technet.microsoft.com/forums/en-us/winserverts/thread/e66c3bb1-fa4b-432c-8eb5-20cb13deec7f/

update2:
thanks powershell succeeded in finding pattern. following script lists users "terminal server license servers" have access rights:

$users = get-user | get-adpermission -user s-1-5-32-561
write-host $users.count
$count = 0
while ($count -lt $users.count)
{
  write-host $count $users[$count].identity
  $count++
}

the users listed had following in common; either:
a) created after upgraded domain windows 2000 windows 2003 (sp1)
or
b) mebers of domain admins, account operators or printer operators.

we know new accounts receive corretct access right upon creation , admins/operators accounts automatically have access rights adjusted automatically active directory mechanisms (just try adding user account operators , notice account operators access rights user account disappear after while itself).

in other words - these permissions have never been applied user accounts in domain. cannot imagine design, if there lot of ms customers scratching heads. suppose our domain exepction. guess i'll apply neccessary access rights settings powershell.

Windows Server  >  Remote Desktop Services (Terminal Services)