You can use Group Policies to lock down a Terminal Server session on a Microsoft Windows Server 2008-based or Microsoft Windows 2000-based computer. With the following settings, even the administrator account will have restricted access. It is highly recommended that you create a new organizational unit instead of modifying the policies on an existing one.
The Dsacls.exe tool
Dsacls.exe is a command-line tool that you can use to query the security attributes and to change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services. You can use Dsacls.exe to lock out Terminal Services end-users from files and folders on a Windows Server 2003-based computer or a Microsoft Windows 2000-based computer.
Check also the article: How to use Dsacls.exe in Windows Server 2003 and Windows 2000 and the attached PDF document to this post.