Its not a typo, i just edited it out to not post the correct domain. I've recreated the RD RAP policy. Under User Groups, i have the ad group that the user is a part of. Under Network Reources i have created a new group with the ip, netbios and fqdn entered. under allowed ports i have 3389 only allowed.