We currently use a GPO to run a logon script that maps drives and printers depending on the users group membership when they log on to our Terminal Servers.
Most of the time the drives and printers are mapped, but every once in a while (several months) it appears that the policy processing stops and the drives are no longer mapped. This lasts a few days and then the problem goes away.
The strange thing is that is does not happen to all of our users, just a random selection. But does affect both of our 2003 Enterprise Terminal Servers
To fix the problem we change the users Terminal Server Access group membership, get them to log in and then change it back to the correct group, and ask them to log back in again.
When the drives fail to map the desktop is still locked down and all other restrictions apply.