How to stop users logging onto DC

Is it possible to stop users logging onto the domain controller?
Please do not mention 'Deny log-on locally' I'm talkiing about users who accidently might put in their user name and password into RDC. Let's say I've just been on their machine using RDC. The next time they use RDC to connect to a remote server, they just hit connect, understandably, and do not notice the address field now points to our DC rather than the remote machine.
On the domain controller, 'Deny local log-on' only applies to users attempting  to physically log-on the server; I think.
I just do not want accounts created on the domain controller except mine and admin.
Is this possible?
Is there a GPO setting that can stop this?
Who is Participating?
Jason WatkinsConnect With a Mentor IT Project LeaderCommented:

You can go into the GPO for the server (DC GPO) and look for the "Allow Log in through Terminal Services"  Add the folks that should have access, all others will not have the ability to do so.  Standard user accounts should not be able to log onto a DC anyway.

Leon TealePenetration TesterCommented:
isnt there a setting on the DC itsself to only allow admins to log on?
Jason WatkinsIT Project LeaderCommented:
Active directory should not allow anyone other than a domain admin, server admin, account operator, etc... To log in.
jasonbourneciaAuthor Commented:
Thanks Firebar,
Had a look at the setting, and it is not configured, therefore admin only.
What I don't understand is why under Documentss and settings on the server, the DC, was one of my users!!!!
Got her to try again and she is locked out.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.