I'm managing a Windows 2008 R2 Server box. For maintenance, I need for some hours to deny access to all users in the Remote Desktop Users and allow Administrators only.
I've tried in gpedit.msc
under User Rights to deny Users group, but still Administrators can't log in because it returns a rights error.
Why can't Administrators log in if I deny the Users group to use Remote Desktop Connection?
Best Answer
Denies always win over Allows, and Administrators are also (usually) members of the Users group.
Perhaps instead of adding the Users group to the "Deny log on through Remote Desktop Services" policy, you could remove all the users/groups except the Administrators group from the "Allow log on through Remote Desktop Services" policy?