A user who tries to run Remote Desktop Connection after you've locked it down will see a message like the one Figure 3 shows. Note that the hash rule setting prevents anyone from running Remote Desktop Connection from the computer for any reason—even for remote administration purposes or to access a remote XP computer. You don't have an "only run Remote Desktop Connection if it won't allocate a TSCAL to this computer" setting.
Using this software restriction policy, however, doesn't remove the Remote Desktop Connection icon from the Start menu (although the user will see the option to remove the icon if it's on the Start menu) or Accessories folder. Thus, you must either delete the icon or be prepared for Help desk calls about it.
If you don't use Windows 2003 DCs but run XP on the desktop, you can edit the software restriction policy locally by using the MMC Local Security Policy snap-in. Because administrators can change the policy, editing it locally works better for users who aren't local administrators for their computers. You must reboot the computer for the policy to take effect.
If you run Win2K Server but don't use Win2K DCs and desktops, you can use Win2K Server Group Policy to prevent execution of Remote Desktop Connection, but it's less effective than a software restriction policy. A software restriction policy prevents the application from running regardless of how it's launched (e.g., from the Run command, from the command line, from Windows Explorer); group policies that restrict application execution apply only to applications that run from Windows Explorer. To prevent access to applications, you must also prevent access to the command prompt, Run, and Task Manager, which contains Run. Additionally, you can't prevent access to Run or Task Manager for computers—only for users—or disable backdoors in applications (such as Microsoft Word's Web toolbar, which lets you browse for executables).
Restrict Terminal Server Usage
Terminal Services licensing is a complicated nuisance, and the fact that you can't manually reclaim accidentally allocated TSCALs makes it more of one. The good news is that you now have some methods to prevent rogue client computers or terminal servers from dispensing TSCALs to one and all.