Q: How can I stop administrators from being able to RDP to a machine?
A: There are several ways to stop administrators from having Remote Desktop access to an OS. The cleanest way is to remove the local Administrators group from the Allow log on permission, through the Remote Desktop Services user right. However, administrators can simply add themselves back to the group; therefore, if there's a specific reason you don't want an administrator to log on directly, you should remove the administrator's rights as follows:
- Start the local Group Policy Editor (gpedit.msc), or for multiple machines edit the Group Policy Object (GPO).
- Navigate to Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment.
- Double-click Allow log on through Remote Desktop Services and remove the Administrators group, then click OK. Alternatively, double-click Deny log on through Remote Desktop Services and add Domain Administrators, for example, to that group. A member in the Deny group won't have access even if the member belongs to the Allow group. Deny takes precedence.
Depending on the reasons for wanting to block an administrator, this might not be the best solution. The person would still know that he or she had the correct password because they would see a screen indicating that access was denied for the account. Another approach would be to whitelist only certain IP address ranges from being able to connect when using endpoints in services such as Azure.