Setting RDP for one application on WS2003
I have a WS2003 which I have used RDP for administrative access basically as a web server. I have been the only user accessing this server so I had full RD amin access. Now I would like to use this server as a Terminal Services server for my company Quickbooks Pro application and need book keepers to access the application, but not any other areas of the server. So I need to setup RD clients that will have restricted access only to the Quickbooks application and associated data files. Step by step help would be appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
After you install Terminal Services you'll want to setup a security group for the restricted users and add them to the local Remote Desktop Users group on the Terminal Server. You do not want to add them to the local Administrators group. Further restrictions you should manage through Group Policy, e.g. disable access to windows explorer, control panel, etc.
MO
MO
You can create a custom RDP connection as well as the recommendations I made above and add the Quickbooks executable to the RDP connection. This will basically immediately launch QB in the session and nothing else. I recommend that you also enable a session timeout/disconnect/reset policy on the Terminal Server so that the sessions don't get hung up endlessly after a user disconnects.
MO
MO
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ok .. so I believe what you're wanting to do is assign different permissions in Terminal Services.
This is actually going to be a result of a bunch of changes that you make.
This is going to depend on whether Quickbooks will actually run for users who have, for instance, user privileges on the server.
If they do, then you can add them to the "Users" group, and give them explicit permissions for any place that they need write access to. By default, users have access only to their own profile.
In addition to that, and if you want to limit their experience, I usually implement a GPO, and scope it to the users who will be logging in to the terminal server. Aside from the regular settings that you would usually assign to allow Terminal Services access, I would setup user configuration restrictions, as well as Computer configuration restrictions to the user. So now, you'd be able to make it as tight as relaxed as you want.
One thing to remember, if your users have access to other computers in the domain, you want to make sure that these extra tight policies won't apply to them when they login to their own workstation. For this, make sure you use the Loopback processing policy / Merge mode...
What this will do, is when the user logs in to their own workstation, then their computer and user policies will apply, but when they login to the terminal server, then their user policies will apply, in addition to the Terminal Server computer configuration policie, and the user configuration policy, merged with their own OU's user configuration policy. (if you choose "Replace" mode, then their own OU's user configuration will completely be ignored, and the terminal server's user configuration will apply only).
This is just a general guide. You can find some additional information about Loopback Processing policy here:
http://support.microsoft.com/kb/231287
As for launching quickbooks, you can add this to their login script, either by placing that script in your \\dc\netlogon\login.vbs, and adding it to the login script field under "profile" in their AD. OR, you can add it within that group policy (I would personally go with this one in this case), in the User/Policies/Windows Settings/Scripts (Logon/Logoff).
There are as many tweaks for lockdown that you can perform as your mind can come up with solutions. You can go as far as replacing the Explorer shell with another one, and make the terminal service session run in Kiosk mode if need be... .
This is actually going to be a result of a bunch of changes that you make.
This is going to depend on whether Quickbooks will actually run for users who have, for instance, user privileges on the server.
If they do, then you can add them to the "Users" group, and give them explicit permissions for any place that they need write access to. By default, users have access only to their own profile.
In addition to that, and if you want to limit their experience, I usually implement a GPO, and scope it to the users who will be logging in to the terminal server. Aside from the regular settings that you would usually assign to allow Terminal Services access, I would setup user configuration restrictions, as well as Computer configuration restrictions to the user. So now, you'd be able to make it as tight as relaxed as you want.
One thing to remember, if your users have access to other computers in the domain, you want to make sure that these extra tight policies won't apply to them when they login to their own workstation. For this, make sure you use the Loopback processing policy / Merge mode...
What this will do, is when the user logs in to their own workstation, then their computer and user policies will apply, but when they login to the terminal server, then their user policies will apply, in addition to the Terminal Server computer configuration policie, and the user configuration policy, merged with their own OU's user configuration policy. (if you choose "Replace" mode, then their own OU's user configuration will completely be ignored, and the terminal server's user configuration will apply only).
This is just a general guide. You can find some additional information about Loopback Processing policy here:
http://support.microsoft.com/kb/231287
As for launching quickbooks, you can add this to their login script, either by placing that script in your \\dc\netlogon\login.vbs, and adding it to the login script field under "profile" in their AD. OR, you can add it within that group policy (I would personally go with this one in this case), in the User/Policies/Windows Settings/Scripts (Logon/Logoff).
There are as many tweaks for lockdown that you can perform as your mind can come up with solutions. You can go as far as replacing the Explorer shell with another one, and make the terminal service session run in Kiosk mode if need be... .
Mgortega... I think that's a great idea, but if a user really wants to, can't they establish a connection to the server without the execution of the local path and gain access to the server?
Perhaps, your solution, in conjunction with GPO restrictions would be ideal ?
Perhaps, your solution, in conjunction with GPO restrictions would be ideal ?
Let me clarify that with the custom RDP connection, QB will launch in the explorer shell and the user will have no access to anything else, e.g. desktop icons, start menu, etc. If they were to close out of QB they would have nothing but a blank screen. For the average user this would appear real secure. For someone who knows what they are doing and wanted to get access of disrupt things could still get access to the shell, and thats why I recommend that you still make sure to create restrictive GPO's and apply them to the TS and/or Users in question. The custom RDP connections just makes the experience to the user and those administering the system real clean and easy to use.
MO
MO
gkhairallah, that's why in my comment that you read through I said "You can create a custom RDP connection as well as the recommendations I made above ...". The comment previous to that one mentioned hardening access on the Terminal Server for those users through Group Policy.
MO
MO
I think our comments crossed paths ... I posted mine before seeing your follow up
Thanks for the clarification ... :)
Thanks for the clarification ... :)
ASKER
Let me explain further. The goal is actually eliminating our small 5 user LAN which we use for some file sharing, Quickbooks, and Exchange. Our small company not longer needs the overhead of maintaining the LAN and connection speeds and technology of remote access appears we can do this all remotely. So, we have a dedicated remote server which have configured for our web sites, and now would like to setup our Quickbooks and backup files. So there will be NO attached clients. All access will be remote. So the office worker who used to only do accounting, now will access QB through RDP and will not need access to anything else. So there is not concern about cross permission conflicts or anything of the sort. I suppose simply setting up the QB app on the users desktop would suffice, it just seemed cleaner, and I have seen it done, to have the app launch directly from the RDP login. But maybe I am complicating it too much.
Actually you simply reposted what I said originally gkhairallah. Check my original comment and then the comment I made right after that. I originally said restrict through group policy and then I mentioned to create a custom RDP connection on the users' system to keep the session clean.
MO
MO
I don't know too much about quickbooks. but, I believe what you can do, given the correct version of quickbooks, is setup a quickbooks server, where the database will reside, then install a local client version on the user workstations, then, through a VPN connection, or something equivalent, have them open the database remotely on the server via their locally installed client.
The fact that there are no attached clients, as you mentioned, is related to the use of Quickbooks. However, if you do have a local domain controller on site (if the machines are joined to a domain), you still have to deal with figuring out the application and inheritance of group policies in the instance of local login vs. terminal services login.
If quickbooks is at the right version, I think this will be your simplest solution, and don't worry about figuring out Terminal Services.
The fact that there are no attached clients, as you mentioned, is related to the use of Quickbooks. However, if you do have a local domain controller on site (if the machines are joined to a domain), you still have to deal with figuring out the application and inheritance of group policies in the instance of local login vs. terminal services login.
If quickbooks is at the right version, I think this will be your simplest solution, and don't worry about figuring out Terminal Services.
Ummm. hconant, did you miss my comments and specific instructions on setting up a custom remote desktop connection so that the QB app launchs directly? What your asking for is exactly what I explained how to do.
MO
MO
That's really weird mgortega.. for some reason your first two comments just showed up on my thread, for a while there, I had only seen your suggestion of changing the setting in mstsc. It's either that, or I may very well have inadvertently overlooked it... it's all good .. :)
hconant, contrary to what gkhairallah just mentioned DON'T install a local client and try to access the QB company file over a slow internet link. Unless your server is behind an internet connection with a 100Mbps upload and your remote user has the same download bandwidth the experience is going to be horrible. Opening QB might take 30 minutes. Saving changes, etc. will likely take the same amoutn of time.
Just use the custom RDP connection like I explained above. That will do exactly what you're asking for.
MO
Just use the custom RDP connection like I explained above. That will do exactly what you're asking for.
MO
ASKER
I was gong to say I got them, but they are all crossing each other as they are arriving quite rapidly. I tried setting up the QB remote file server all day today only to find it way too slow. So RDP it is, if it is to be at all. I think with the info I have from above I should be able to get this going.
ASKER
Thanks for the help guys
ASKER