sometimes Admins are lazy and abuse there rights to access clients or Terminal services. This is not such a great idea and at least for the central MS Terminal server there is a solution to force usage of the standart user.
- open a cmg with administrator rights and run gpedit.msc
- Navigate to: Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment
- Search for the entry: “Deny logon through Remote Desktop Services”
- Hint: I did not directly block the group “Administrators” or “Domain Admins”. I greated a seperate Group called: G_RDP_NO-ADMIN-RDP
- Add zour desired group into to upcoming dialoque when double clicking
- Search zour group and click ok
- after the last acknowledgement the local security group policy is updated.
- Now the User sees the following note:
Now is the specific group prohibited to access the RDP service. Never the less it is still posible to execute “run as” commands.