Hi,

We would like to prevent the local administrator account on each PC from having rights to logon via Remote Desktop Services. I have found the necessary policy to do this:

Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>User Rights Assignment and then

'Deny log on through Remote Desktop Services'

Whilst enable this and defining the policy is not a problem, I am not sure of the syntax or correct form to add the built in administrator for the PC it is being applied to.

BUILTIN\Adminstrators is the whole group, don't want to do that, domain users/groups are easy. .\Administrator doesn't work. Typing in just 'Administrator' is allowed, but I am not sure which administrator that is applying to!

Any thoughts would be great. Thanks in advance.

As per my test, simply add Administrator will be resolved as the built-in domain administrator.

-

By default, the local built-in Administrators group has the right to logon via RDS, and the local Administrator account is the member of the Administrators group.

-

So one workaround here to "prevent the local administrator account on each PC from having rights to logon via Remote Desktop Services", is to remove the local administrator account from the built-in administrators group, via Restricted group policy:

https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups

A.B

• Edited by Aravindhan Battepati Monday, August 31, 2015 7:36 AM
• Marked as answer by Ethan HuaMicrosoft contingent staff, Moderator 2 hours 43 minutes ago

Hi,
 
Just checking in to see if above information was helpful. Please let us know if you would like further assistance.
 
Thanks,
 

Regards,

Eth

Hi,
 
I'm marking the reply as answer as there has been no update for a couple of days.
 
If you come back to find it doesn't work for you, please reply to us and unmark the answer.
 

Regards,

Eth