Whether in the work or in the daily use of the home computer more and more people because of the heavy computer will choose to connect to a computer remotely, more common in the enterprise, many engineers, developers, office workers are accustomed to go home to connect their computers remotely in the default state, The system allows administrator accounts to use Remote Desktop functionality, which poses a significant security risk to both the server and the client, and illegal attackers often try to use that user account to attack local server systems or client computers. The most direct and extreme approach may be to disable the administrator, but this will affect the network administrator to manage the server system or the maintenance of the client system, so we have children's shoes with the name of the administrator to rename the way, To prevent attempts to use the administrator for Remote Desktop Connection, but these methods are far too inconvenient, why don't we take the relevant options in Group Policy to solve the security problem we are experiencing?
Okay, so let's take a look at how to prevent users from using the administrator for Remote Desktop Connection, only to allow the administrator to log on locally to use, the previous mention of Group Policy can be prohibited, right this will be a good way, Is it easier and more convenient for us to make changes to a large number of computers in the enterprise? OK, let's go and see how it's done.
We first need to log in to domain control, by clicking Start/Administrative Tools/Group Policy Editor, after you open the Group Policy Editor, create a new policy on the computer OU that you want to disable, and in many previous posts, you have mentioned how Group Policy is created, and if you are not familiar with creating steps, refer to the Group Policy implements the section on creating Group Policy as mentioned in the 1-4 steps in the article "Add to IE Trusted Sites".
After the policy is established, open the policy for editing, and navigate to the bottom icon frame position;
URL Address: http://www.bianceng.cn/Servers/zs/201602/49633.htm
3, double-click to open the "Deny logon through Remote Desktop Services" policy item, as shown in the following illustration, check "Define these policy settings", click "Add User or group", in the dialog box that pops up, type "Administrator", and click 2 times to make sure you return to the Group Policy editing window.
4, after returning to the Group Policy editing window, you can see the following figure;