1
I came across a case that the server (windows server 2012R2 Datacenter edition x64) should have an user which has all of administrators permissions except having RDP .
that would be so great if you can help me with this case .
Iman Kermani
Posted 2016-07-17T20:00:50.490
Reputation: 113
0
Take a look at You notice that the check box "Deny this user permissions to logon to a Remote Desktop Session Host Server" and follow the instructions to set the Group Policy accordingly to restrict Remote Desktop access.
This applies to Windows Server 2012 R2 even though the article doesn't list it but you can easily test to confirm all works as expected afterwards with a test account.
RESOLUTION
To deny a user or a group logon via RDP, explicitly set the "Deny logon through Remote Desktop Services" privilege. To do this access a group policy editor (either local to the server or from a OU) and set this privilege:
Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.
Find and double click "Deny logon through Remote Desktop Services"
Add the user and / or the group that you would like to deny access.
Click ok.
Either run gpupdate /force /target:computer or wait for the next policy refresh for this setting to take effect.
Pimp Juice IT
Posted 2016-07-17T20:00:50.490
Reputation: 29 425
There's a right (which I can't recall right now) that can be set with Group Policy that will disallow remote desktop, even for an administrator. However, if applied to the administrators group, it will remove that right for all admins. I'd suggest creating a group for administrators without RDP and removing that right for that group. – kronenpj – 2016-07-17T20:04:56.363