Disable Remote Desktop Access (RDP) For Administrator On Windows Server 2016

As you might know, administrators have access via RDP enabled by default. They even don’t need to be members of Remote Desktop Users group for this. But in some situations you may need to restrict remote access for a specific administrator. For instance, if you want to be sure that every task (backups for example), services or other stuff that may launch using his credentials won’t stop working. So here is how to disable access through Remote Desktop (RDP) for the user with administrative privileges on Windows Server 2016 without disabling the user account itself.

How To Disable Remote Desktop Access (RDP) for the user with administrative privileges on Windows Server 2016 without disabling the user account itself

In such a way you can deny RDP access for any user who belongs to groups that have it – for instance, Administrators, Remote Desktop Users.

    1. Press Win+R.
    2. Type secpol.msc and hit Enter: secpol.msc
    3. Navigate to:
      Security Settings\Local Policies\User Rights Assignment
    4. Double-click on Deny log on through Remote Desktop Services:Deny log on through RDP
    5. Click Add User or Group: add User or Group
    6. Click Advanced: Select Users or Groups - Advanced
  1. Click Find Now:Select Users or Groups - Find Now
  2. Select the user you want to deny access via Remote Desktop and click OK: select user from the list
  3. Click OK here: select user
  4. Click OK again to save settings: Deny log on through Remote Desktop for selected administrator

When blocked user will attempt to log in to Remote Desktop session he will see the message:

To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you’re in doesn’t have this right, or if the right has been removed from the Remote Desktop Users group, you need to be granted this right manually

remote desktop access denied

Remote Desktop access denied for admin on Windows Server 2016

How To Allow User To Access The Server Through Remote Desktop Again

If you want to allow a user from the Administrators group access RDP, all you need to do is open the Local Policy, remove the user from the list and click OK:

remove user from denial list

That’s it.

1 comment

  1. This option also gives the user to either Log Off or SHUT DOWN. Wow…this is brutal. A standard user can shut down a Server Computer.

Leave a Reply

Your email address will not be published.