ikalo: Good advise on the groups. I guess I just expected them to create groups instead of just working with users. Groups are a lot easier to manage.

Another thing you can do to explicity deny users remote access is to add them to a deny group. Then in group policy, put just the group name in there for denied remote logon.

Then you will have two groups. One group that can use terminal services (RDP), but is denied local logon. Another groups that has local logon, but is RDP.

If nothing else, deny your administrators group remote logon via group policy.

If anybody gets remote access to your machine, they will have to use privledge escalation techniques, or run as. You could also deny admin secondary logon (run as). However, I don't like to do that. It depends on the box's purpose.

I often like to use run as remotely though. I won't log into a box with admin priv, but I'll "su" or run as to do what I need.