Recently, I was working with a client who had the interesting goal of preventing a specific domain administrator from logging on via Remote Desktop Services. They wanted the domain admin and other privileged accounts to only connect via the VMWare vSphere console (through the corporate firewall), and then start a console session.
Fortunately, this is easily accomplished via user rights assignments in Group Policy / Local Security Policy. To do this, open up your Group Policy editor, or, if on a non-domain system, launch secpol.msc, and adjust the “Deny logon through Remote Desktop Services” policy entry.
Add the users who you want to prevent from logging on via Remote Desktop Services, save, and then apply/refresh the policy and test.
Note that this works well in all scenarios, from Windows Server 2003 onward. There is an older setting for individual users in Active Directory user management called “Deny this user permission to logon to a Remote Desktop Session Host Server.” This setting worked in all scenarios back in Windows Server 2003. However, in Windows Server 2008 and Windows Server 2012, it only works when the RDSH server is configured in Application Mode, NOT Remote Administration mode. Only setting the “Deny logon through Remote Desktop Services” user right assignment in Group Policy will effectively block access across all RDSH modes. For more, read this Microsoft support article.
Of course, this doesn’t prevent an Administrator from altering a Group Policy object to remove themselves from this policy restriction. Therefore, using a tool like our Remote Desktop Commander Suite to audit privileged user sessions is a smart idea. Using Remote Desktop Commander in conjunction with Group Policy, you can turn on heightened session auditing for specific users, routinely creating session recordings and screen captures for review later. Quite a bargain for only $9 per server per month, don’t you think??