?
Solved

Terminal Server 2003 - Restrict Desktop Access

Posted on 2006-05-11
7
Medium Priority
?
1,507 Views
Last Modified: 2009-05-28
I want to restrict a specific group of terminal services users to one application on the desktop and prevent them from accessing the network neightborhood on the machine.  How would I go about applying these restrictions?

Ed
0
Comment
Question by:ehilder1
5 Comments
 
LVL 3

Expert Comment

by:rchein
ID: 16659577
You can cause the program to be launched when the log onto the machine.  Then when they exit the program, it will log them off (or at least that is how it worked in 2k terminal services, don't have a 2k3 TS server).

This can be done in Active Directory Users and Computers on the Environment tab (starting Program).
0
 
LVL 3

Accepted Solution

by:
rchein earned 172 total points
ID: 16659668
0
 
LVL 7

Assisted Solution

by:northcide
northcide earned 164 total points
ID: 16662643
That wont solve the problem if there is any option to open files locally from the application used...pretty much anything that allows any sort of explorer.exe action via office applications or otherwise.

*read all the way through this post.....

I have a terminal server setup that basically disallows access to anything that i havent explicitly given permission to - network places being one of them.  i dont remember exactly which policy within GPO it is, however you should start with the term server lockdown guide.  some combination within it will give you exactly what you are looking for:  

http://www.microsoft.com/downloads/details.aspx?FamilyID=cabea1d0-5a10-41bc-83d4-06c814265282&displaylang=en
might be the "prevent access to drives form my computer" option with "no 'computers near me' in my network places" and "no "entire network' in my network places....

and actually as i'm writing this i see an option for "remove my network place icon from start menu" as well as "hide my network places icon on desktop".  

i'm not going to delete the beginning of this post however because those are all probably options you should set.

0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 164 total points
ID: 16663732
There is a new protocol in Server 2003 SP1 and R2 which will HIDE any drive, folder, or file that a user does not have permission to access.  It's pretty cool and makes a lot of sense for something like this.  It's called Access Based Enumeration and is a free downloadable add-on to Server 2003:  http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx

That used in addition to specifying the specific program in the User's Environment settings should do the trick.  However you may want to review the Terminal Server Lockdown Best Practices as well:
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx


Jeff
TechSoEasy
0
 

Expert Comment

by:n2technology
ID: 24496206
You do it through group policy. Here is a step by step guide to apply a locked down group policy on a terminal server:  http://support.microsoft.com/kb/278295
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Loops Section Overview
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question