Wondering how to separate group policy for a workstation vs the user's RD session

I am trying to make it so that the workstation the user logs into has access to some of the control panel and on their RDP session have no access to the control panel.

How do you separate these GP? So far I have it where it applies no access to all computers the user logs into or it gives partial access to all computers they log into. I can't seem to get it to be separate since it is a user policy.

Setup.

User logs into a computer with their domain login, they are a member of domain\users.
They can then RD to the RDS server because they are a member of domain\users.

User is in an OU with a GPO applied.

I can only get the policy to apply to both locations exactly the same, i would like to have the server to be stricter for example they have no need to be in any part of the control panel. But on their workstation they can change wallpapers and screen resolution so the need partial access to the control panel.

This is a lab environment so if it is setup wrong let me know. Just learning here.

So you don't want them to have control panel when they rdp in?

Right the rdp is into the RDS(Terminal Services) server, and they don't need the control panel for the server. they are 2012 r2 servers if that changes anything.

Wait are the workstation and terminal services server separate? Am I misunderstanding?

Yes they are, I have a workstation that is joined to the domain. from within that workstation they can Remote desktop into the terminal service server for a few server driven applications.

Have the policy apply to the computers and not users.

example the workstation container has the access policy
and the server has no control panel policy.

That's what I thought, but it didn't seem to work. I'll try again tomorrow, it's a work related project.

+1 for applying to the computers themselves.

If you need to completely isolate the Group Policies applied to the Workstations, couldn't you put the workstations on a separate domain within the same forest?

make sure you use the command gpupdate /force on the computers your testing.

If I have the RDS servers inside an OU and the policy has users denied access to the control panel under user configuration, should this be preventing access to the control panel?

I don't seem to find certain things under the computer configuration section of the GP that are in the User Configuration. like the control panel section for computer config only has policies for personalization regional and language and user accounts.

(yes I know you should only have ad, dhcp and dns on the DC but i have limited servers in the test environment. the roles installed on the dc are ad ds, dns and hyper v, im just managing the rds from it.)

They don't need to be under computer configuration. as long as the policy applys to the right group of computers.
It would be a user policy applying to users on that particular computer.

Okay, that is what I expected. Which means it's not functioning like it should. I wonder if it has to do with the RDS being within a collection and the connection broker not being in the RDS Server OU. I'm spinning up another VM to test it standalone and not in a collection

On Group Policy Management at the bottom is Group Policy Results where you can run a wizard to see errors regarding Group policy. You may need to enable a service on the computers your testing.

It said no errors but two warnings, fast link enabled and sysvol version mismatch on default domain policy