Question : Enabling & Restricting Remote Desktop Access via GPO

Hey experts
Hope you can help

I'm in the process of enabling Remote Desktop for all our workstations and would like to lock it down and restrict it only to Domain Administrators. I'd also like to ensure that they are only allowed to remote into 1 machine at a time (no multiple sessions). I have a rough idea on how to do it, but want to make sure I am doing it correctly.
Previously this was NOT enabled and denied everyone RDP access.

My main question is about the "deny access" setting, and whether I need to specify it or not?
Are these the right settings?

"Allows users to connect remotely using Terminal Servers" - ENABLED
"Allow logon through Terminal Services" - Administrators
"Deny logon through Terminal Services" - Guests,   <=== How do I restrict all users that aren't Admins from access?? =====

If I put EVERYONE in the Deny logon, does that take precedence over the Allow logon? How do I ensure that only Admins have access to it and everyone else can't use it? Our AD isn't set up so that there's a group that contains regular users (I was thinking of putting Domain Users, or Users but it also contains Administrators as members as well)? Do I need to create another group in AD that specifically contains only regular users so I can specify them as deny logon? We have over 1000 user accounts, so anyway I can do this easily through GP would help.
And are there any other settings am I missing? I'm hoping to get this available ASAP as we need to get this up and running immediately

I appreciate any help! Thanks! =)

Answer : Enabling & Restricting Remote Desktop Access via GPO

Yes the TS service is required but as you enable that through GPO, the status will automatically change for the TS service when applied.