Network access restriction see

You can explicitly deny access to the KM in the local policy.

-Create an arbitrary user group with the required access level.
- view the default administrator groups (for example, "wsus administrator", xs why do you need an administrator without access to rdp)
- deny access to a specific machine

We already wrote above "create an arbitrary user group with the required access level."
Working and even more so running arbitrary software under the "Administrator" account is an extremely bad idea.
You have 2 options: remake your "services and applications" to ensure they run under non-privileged accounts. Or disable RDP altogether (for example, in a firewall)

To be honest, the very formulation of the question suggests that the logical structure of access rights in the organization is somewhat incorrect, since the local administrator is a local god and master. You can cut off the rights, but he can return them in exactly the same way or go around workarounds.
Denying access from the network at the account level is stupid - he can create a new account in the system.
Preventing the Administrators group from logging into Terminal Services is even dumber.
Most of the services can be started with the rights of a simple user.
Some finicky services work well under users, but when launched from a task scheduler with the checkbox set to execute with the highest privileges.
Hygiene rules prohibit the use of local administrators to run anything. You cannot be tied to this account from the word "absolutely".

I probably did not describe in detail.
The fact is that this is a system account and applications and services are launched under it on a group of servers. She serves for this. Authorization on any computer of the domain needs to be forbidden. Such is the task. We tried to check the box in the account properties: "Deny this user permissions to log on to any Terminal Server" but that did not help, it continues to let.