Q: How can I easily block logons through Remote Desktop Services to domain-joined machines using a local user or administrator account?
A: In Windows 8.1 and Windows Server 2012 R2, Microsoft introduced two new security accounts that you can leverage to prevent local users and administrators from using Remote Desktop Services to log on to domain-joined machines. The new security accounts are named "Local account" (SID S-1-5-113) and "Local account and member of Administrators group" (SID S-1-5-114). The new accounts can also be added to Windows 8, Windows 7, Windows Server 2012, and Windows Server 2008 R2 systems after installing the patch discussed in Microsoft Security Advisory: Update to improve credentials protection and management: May 13, 2014.
Windows adds the "Local account" SID to a user's access token at logon time if the user account being authenticated is a local account. The "Local account and member of Administrators group" SID is added to the token if the local account used for authentication is also a member of the local machine's Administrators group.
In your case, you can assign the new accounts to the Deny log on through Remote Desktop Services user right in a domain-level Group Policy Object (GPO). Without these new accounts and SIDs, you'd need to explicitly assign the exact name of each local account to the Deny log on through Remote Desktop Services user right on all your domain member machines to achieve the same effect.
