Hi,

We would like to prevent the local administrator account on each PC from having rights to logon via Remote Desktop Services. I have found the necessary policy to do this:

Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>User Rights Assignment and then

'Deny log on through Remote Desktop Services'

Whilst enable this and defining the policy is not a problem, I am not sure of the syntax or correct form to add the built in administrator for the PC it is being applied to.

BUILTIN\Adminstrators is the whole group, don't want to do that, domain users/groups are easy. .\Administrator doesn't work. Typing in just 'Administrator' is allowed, but I am not sure which administrator that is applying to!

Any thoughts would be great. Thanks in advance.

As per my test, simply add Administrator will be resolved as the built-in domain administrator.

-

By default, the local built-in Administrators group has the right to logon via RDS, and the local Administrator account is the member of the Administrators group.

-

So one workaround here to "prevent the local administrator account on each PC from having rights to logon via Remote Desktop Services", is to remove the local administrator account from the built-in administrators group, via Restricted group policy:

https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups

A.B

• Edited by Aravindhan Battepati 9 minutes ago