Is it possible to specify users or groups that have Remote Desktop permissions through Group Policy in AD?
You can prevent users or groups from using Remote Desktop by removing their ability to do a network logon on the machines in question. That is, you can create a GPO specifically for an OU that prevents users from connecting. To prevent users or groups from using a network connection of any type, use the "Windows Settings/Security Settings/Local Policies/User Rights Assignments/Deny access to this computer from the network" policy. Add the groups you wish to deny access to. Remember, however, that they also will not be able to access file shares (a good thing on a desktop or server that is not a file server, a bad thing for a domain controller or file server). To specifically deny remote desktop access, use the "Windows Settings/Security Settings/Local Policies/User Rights Assignments/Deny Log on through Terminal Services." Add the groups you wish to deny.
Group Policy Administrative Templates can be used to control Remote Assistance options (Remote Assistance uses the Remote Desktop). Computer Administrative Templates control solicited and offered Remote Assistance (can you do it, hours, method). The setting "Remote Assistance/Offer Remote Assistance Properties" also allows you to specify which Windows group's members are allowed to offer remote assistance without an invitation.
This was first published in November 2004