Remote Desktop permissions by where they login from?

We use a login script to check the connecting computer name and if it doesn't match the list we deny the connection. We exclude some users from this check so they're always able to connect, whether in the office or not. So you simply add a line for each office computer (or authorized computer) and add a line for every user you want to exlude from the check. Below is a sample from the script:

IF %USERNAME% == joeschmoe GOTO OK

IF %USERNAME% == janedoe GOTO OK

IF %CLIENTNAME% == OfficeComputer1 GOTO OK

IF %CLIENTNAME% == OfficeComputer2 GOTO OK

IF %CLIENTNAME% == OfficeComputer3 GOTO OK

REM The following message is displayed on computers not authorized to connect.

msg * You are not authorized to login from this location. You will be logged off in 10 seconds.

sleep 10 LOGOFF

:OK EXIT

Consider investigating IPSec which if I understand it correctly can be used to restrict access based on a combination of rules including network location, client machine identity (assuming it's a member of the domain), and user credentials. So you could theoretically set up an IPsec policy allowing only Admins on certain computers to access RDP from outside the office network. If you make use of Group Policies, you could easily apply the rules to any additional servers you wish to set up in the same way.

Setup a Terminal services gateway. You can set up policies on ehat different groups are allowed to access. Only permitbremote access via the gateway.

Not by permissions. You could use the OS firewall to deny all external IP's port 3389 access and allow only certain external IP's (if you know them and they are static). Another option would be to deny all external IP's on you core FW and then only allow RDP if they VPN in to your network.