In my lab's DC, I've set up a "Lab RDP Group" and put a couple admins in there.  Then I did the steps in the following blog to restrict Remote Logins based on group policy:

http://www.dannyeckes.com/server-2012-enable-remote-desktop-rdp-group-policy-gpo/

But then local admins can no longer establish RDP sessions to servers.  We have reasons to still want local admins to log on to servers remotely.  But we also want to start using the domain group policy.

How can we have both?

What's in your "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services" -policy? If you removed the "Administrators" from that setting, there's the problem, you've not granted access for anyone else to use Remote Desktop Services than the "Lab RDP Group" -group. Add both the group you've created and "Administrators" to that setting and you're good to go.

• Proposed as answer by Mary DongMicrosoft contingent staff, Moderator 30 minutes ago

Hi NicHDs,

Thanks for your post.

By default local administrator are member of Remote desktop group and they should be able to access the remote session. Please check if you have removed the Remote desktop group from allow login to terminal services rights.

Please check about the following articles for a reference.

https://msdn.microsoft.com/en-us/library/cc771990.aspx?f=255&MSPPError=-2147217396

http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx

Best Regards,

Mary Dong