Hello Team, We have a 2008 R2 print server that one Security Group"TestAdmin" assigned to the local administrators group due to obtain all the permission to control and access via print management console from their own client machines. However, we would like to block them to access to the print server via RDP. So, I tried to assign the"TestAdmin" to the local policy "Deny log on through Remote Desktop Services", but "Deny Domain Admin Logon" group policy is applied the Server OU in our domain so that add/remove user and group button is greyed out. Would you please guide me what I need to do to deny "testadmin" group to acccess the server via RDP, and still give them local admin privilege in this circumstance? FYI... I checked another local policy on the server "Administrators and Remote Desktop Users" are assigned to "Allow log on through Remote Desktop Services"

Would you please let me know anything I can try?

Would you please let me know anything I can try?

This got move to Print server questions but this is a security or remote desktop issue. Could one of the Moderators move this to a more appropriate forum?Alan Morris Windows Printing Team

This got move to Print server questions but this is a security or remote desktop issue. Could one of the Moderators move this to a more appropriate forum?Alan Morris Windows Printing Team

If you can't use a GPO, Use locally gpedit on the server. And select the user you want to block there. If you can't change the value because of a domain GPO, block the inheritance of it or change your server from OU To deny a user or a group logon via RDP, explicitly set the "Deny logon through Remote Desktop Services" privilege. To do this access a group policy editor (either local to the server or from a OU) and set this privilege: 1. Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it. 2. Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment. 3. Find and double click "Deny logon through Remote Desktop Services" 4. Add the user and / or the group that you would like to dny access. 5. Click ok. 6. Either run gpupdate /force /target:computer or wait for the next policy refresh for this setting to take effect. http://support.microsoft.com/kb/2258492 MCP | MCTS 70-236: Exchange Server 2007, Configuring

Yagmoth555, Thanks for the information. I already attempted to change a local policy, "Deny Logon Through Remote Desktop Services", but it is linked via Group Policy so that buttons is greyed out so that I cannot change anything locally. My goal is to create another GPO on top of the OU and put the Printer Server in Security Filter Group to bypass it. I just wonder if this possible. I will create "Allow Logon Through Remote Desktop Services" GPO and apply it higher priority than "Deny Domain Admin Logon" GPO, and then I put the computer name on Security Filter group to block the inheritance the GPO. If I do this, could I modify the local Deny Logon Through Remote Desktop Services" Policy? Would it be working? Any Suggestion?

Yagmoth555, Thanks for the information. I already attempted to change a local policy, "Deny Logon Through Remote Desktop Services", but it is linked via Group Policy so that buttons is greyed out so that I cannot change anything locally. My goal is to create another GPO on top of the OU and put the Printer Server in Security Filter Group to bypass it. I just wonder if this possible. I will create "Allow Logon Through Remote Desktop Services" GPO and apply it higher priority than "Deny Domain Admin Logon" GPO, and then I put the computer name on Security Filter group to block the inheritance the GPO. If I do this, could I modify the local Deny Logon Through Remote Desktop Services" Policy? Would it be working? Any Suggestion?