Consider the following setup:
1. Windows 2008 Server member server.
2. Windows Server 2003 member server.
3. Within Active Directory Users and Computers snap-in, choose a user and access the Remote Desktop Services Profile tab. If the domain controller is running Windows Server 2003, this will be called Terminal Services Profile. Here set the 'Deny this user permission to logon to a Remote Desktop Session Host server'setting. Again, in Windows Server 2003 this is called 'Deny this user permission to logon to any Terminal Server'.
4. Set this user as a member of either the "Remote Desktop Users" group or the local "Administrators" group under both the Windows Server 2003 as well as Windows Server 2008 servers.
Now, use this user's credentials to logon to the Windows 2003 member server via RDP, you will notice that this user will be blocked. However, this user will be able to logon to the Windows Server 2008 server.
1. Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.
2. Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.
3. Find and double click "Deny logon through Remote Desktop Services"
4. Add the user and / or the group that you would like to dny access.
5. Click ok.
6. Either run gpupdate /force /target:computer or wait for the next policy refresh for this setting to take effect.
Article ID: 2258492 - Last Review: 29-Jun-2010 - Revision: 1