How to stop users logging onto DC

Is it possible to stop users logging onto the domain controller?
Please do not mention 'Deny log-on locally' I'm talkiing about users who accidently might put in their user name and password into RDC. Let's say I've just been on their machine using RDC. The next time they use RDC to connect to a remote server, they just hit connect, understandably, and do not notice the address field now points to our DC rather than the remote machine.
On the domain controller, 'Deny local log-on' only applies to users attempting  to physically log-on the server; I think.
I just do not want accounts created on the domain controller except mine and admin.
Is this possible?
Is there a GPO setting that can stop this?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason WatkinsIT Project LeaderCommented:

You can go into the GPO for the server (DC GPO) and look for the "Allow Log in through Terminal Services"  Add the folks that should have access, all others will not have the ability to do so.  Standard user accounts should not be able to log onto a DC anyway.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Leon TealePenetration TesterCommented:
isnt there a setting on the DC itsself to only allow admins to log on?
Jason WatkinsIT Project LeaderCommented:
Active directory should not allow anyone other than a domain admin, server admin, account operator, etc... To log in.
jasonbourneciaAuthor Commented:
Thanks Firebar,
Had a look at the setting, and it is not configured, therefore admin only.
What I don't understand is why under Documentss and settings on the server, the DC, was one of my users!!!!
Got her to try again and she is locked out.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.