How to disable Remote Desktop Access (RDP) For Administrator On Windows Server 2016

Administrators have access via RDP enabled by default.
However you may need to restrict remote access for a specific administrator: if you want to be sure that every task (backups for example), services or other operations that may launch using his credentials won’t stop working.

How to disable access through Remote Desktop (RDP) for the user with administrative privileges on Windows Server 2016 without disabling the user account itself: in such a way you can deny RDP access for any user who belongs to groups that have it – for instance, Administrators, Remote Desktop Users.

  1. Press Win+R.
  2. Type secpol.msc and hit Enter: secpol.msc
  3. Navigate to:
    Security Settings\Local Policies\User Rights Assignment
    1. Double-click on Deny log on through Remote Desktop Services:Deny log on through RDP
  4. Click Add User or Group: add User or Group
  5. Click Advanced: Select Users or Groups - Advanced
  6. Click Find Now:Select Users or Groups - Find Now
  7. Select the user you want to deny access via Remote Desktop and click OK: select user from the list
  8. Click OK here: select user

  9. Click OK again to save settings:Deny log on through Remote Desktop for selected administrator

When blocked user will attempt to log in to Remote Desktop session he will see the message:

To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you’re in doesn’t have this right, or if the right has been removed from the Remote Desktop Users group, you need to be granted this right manually

Remote Desktop access denied for admin on Windows Server 2016

If you want to allow a user from the Administrators group access RDP, all you need to do is open the Local Policy, remove the user from the list and click OK:

remove user from denial list