win 2k DC
win 2003 server running terminal services
for certain domain users, i want to prevent RDP to the server running terminal services, but not prevent RDP to their desktop computers.
under computer management, there is a Group called Remote Desktop Users. it originally had domain\users as Member, and all domain users belong to that AD group.
i created a new domain group called RDP Users, and added users that should have permission to RDP to the server. i then removed the domain\users group from the Remote Desktop Users (local group on the server) and added the new RDP Users group.
i tested by using a domain account that is not a member of RDP Users... and i can still connect to the server. if i edit that domain profile and select the option to not allow the account to use terminal services, i am unable to RDP to a desktop pc in the domain. how do i configure things so that particular domain accounts are not allowed to RDP to the server, but can still RDP to their desktop pc?