Our computer setup rotine for all employes is to enable RDP through the System Properties applet. Occasionally our IT group (Domain Admin group) will need to RDP into a computer that has RDP disabled. I know we can set RDP to on through Group Policy, and I think we need to set the RDP exception in the firewall in Group Policy as well. I think that should work, but that will allow everyone to be able to RDP into any computer if they know how.
How can we allow only the Domain Admins to RDP in any computer, but limit that ability to the other users?