Discovered huge security risk in RDS on Server 2012

i discovered downloaded .rdp files still work after users access has been removed rds , domain login disabled in active directory.

i had terminate employee had rds access several of our rds targets.  i removed user every security group provided rds resource.  i changed users password , logged rdweb user , got blank rds page (no resources available).  i disabled ad account , thought secure, not close!

imagine surprise when ex-employee use saved rdp file authenticate past rds gateway , prompted login prompt @ server of choosing.  once past rds gateway, domain credentials work, without rds permissions.  

is there way prevent old rdp files working users disabled domain accounts?

it's useless response is

so user has saved .rdp files on his...home desktop? , launches .rdp shortcuts and gets credential prompt can't go past since disabled account?

do have network level authentication enabled on servers or deliberately disabled?

look @ section of gpos rds:

computer configuration > policies > administrative templates > windows components > remote desktop services > remote desktop session host > security

there few items in here relevant think if can give more details well

Windows Server  >  Remote Desktop Services (Terminal Services)