I have windows 2012 server r2 machine with local users only. Machine is not part of any domain. I want members of "users" group to be restricted to use mstsc.exe / remote desktop connection from this machine to any other.
I tried blocking outbound ports 3389 for TCP/UDP in windows firewall and used Applocker to create a rule to block mstsc.exe for "users" gp members but users can still mstsc from this machine successfully.
Have you tried deleting mstsc.exe?