|Platform: win2012r2||Date: (C)2015-10-08 (M)2018-03-24|
Deny log on through Remote Desktop Services
This policy setting determines whether users can log on as Terminal Services clients. After the baseline member server is joined to a domain environment, there is no need to use local accounts to access the server from the network. Domain accounts can access the server for administration and end-user processing.
When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers.
Windows 8.1 and Windows Server 2012 R2 introduces a new pseudo group called ?Local Account? that any local-account logon gets in its token and that has been backported to Windows 7 and Window Server 2008 R2 and later versions that have KB 2871997 installed. Guests and Local Account should be denied network logon. Also, the Enterprise Admins and Domain Admins groups should also be denied all access on all clients and servers except for Domain Controllers and dedicated administrative workstations.
Note The Enterprise Admins and Domain Admins groups are domain-specific and cannot be specified in generic baselines such as those in SCM. These must be manually added to the Group Policy setting.
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment!Deny log on through Remote Desktop Services
(2) WMI: root\rsop\computer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeDenyRemoteInteractiveLogonRight' and precedence=1