As you might know, administrators have access via RDP enabled by default. They even don’t need to be members of Remote Desktop Users group for this.
But in some situations you may need to restrict remote access for a specific administrator. For instance, if you want to be sure that every task (backups for example), services or other stuff that may launch using his credentials won’t stop working.
So here is how to disable access through Remote Desktop (RDP) for the user with administrative privileges on Windows Server 2016 without disabling the user account itself.
How To Disable Remote Desktop Access (RDP) for the user with administrative privileges on Windows Server 2016 without disabling the user account itself
In such a way you can deny RDP access for any user who belongs to groups that have it – for instance, Administrators, Remote Desktop Users.
- Press Win+R.
secpol.mscand hit Enter:
- Navigate to:
Security Settings\Local Policies\User Rights Assignment
- Double-click on Deny log on through Remote Desktop Services:
- Click Add User or Group:
- Click Advanced:
- Click Find Now:
- Select the user you want to deny access via Remote Desktop and click OK:
- Click OK here:
- Click OK again to save settings:
When blocked user will attempt to log in to Remote Desktop session he will see the message:
To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you’re in doesn’t have this right, or if the right has been removed from the Remote Desktop Users group, you need to be granted this right manually
How To Allow User To Access The Server Through Remote Desktop Again
If you want to allow a user from the Administrators group access RDP, all you need to do is open the Local Policy, remove the user from the list and click OK: