Sure, you can enable Deny logon through Terminal Services under local group
policy and add the administrator or any users there.
Yes that will work but not in my case.
Sorry, I over simplified my initial question in order to avoid
confusing anyone. Here's the issue I'm facing. I have "publicly"
available machines at my workplace that any employee can use. To avoid
all the emails and phone calls requesting software be installed on
these machines we installed a return-to-state software package named
DeepFreeze. Since the machines will no longer save unwanted changes
(installations of program, changes to system settings, ...) we decided
to make any employee that logs onto the machine a local administrator
so they can perform all the tasks that used to require our interaction
without us. Since these are "publicly" available machine we have a
group policy in place to not allow users to lock the machines. The
users are also forced to reboot the machines after their session
completes in order to reset the machine.
Now that you have all the background info, the problem we face is that
since everyone that could potentially login to those machines is a
local admin anyone can remote desktop to those machines and use them
remotely, taking the machine out of use for someone that wanted to use
it locally. I'm basically looking for the least complex way to keep
everyone but domain admins from logging into the machines over remote
desktop. Sorry if I grossly over simplified my question the first time
around. Any thoughts?
