Think more in terms of who you want to allow remote desktop access. Then construct your policy around those users.
Suggestion: Place all allowed users into a distinct AD group rather than listing them individually.
You'll want to control SESSENV.DLL. This is the remote desktop configuration service and it will want to write to <user>\AppData\Local\Temp
Allow the write, then monitor the events for awhile. You will probably have to wildcard the path, but I'm not sure exactly where in the path you'll need to place the wildcard.
Hope that helps!
Will