Solved

microsoft rds server (terminal server) rights

Posted on 2010-11-30
3
1,159 Views
Last Modified: 2012-05-10
We have a Microsoft 2008 R2 server setup as a RDS server. It is working fine and the users are using it remotely. They can however see parts of the C drive. I want to restrict this, how can I do it.
0
Comment
Question by:zelfanet
  • 2
3 Comments
 
LVL 7

Accepted Solution

by:
tstritof earned 500 total points
ID: 34239110
Hi,

could you please be more specific?

Normal users need read access to C drive if they are running apps stored there. Also if your user's profiles or documents are stored locally on RDS in Users folder then access to C is also needed.

If you only want to hide/disable access to local drives in Windows Explorer & My Computer you can do that through Group Policy. Navigate to this GP container in GPO editor:

User Settings\Policies\Administrative Templates\Windows Components\Windows Explorer

and set these 2 policies:

Hide these specified drives in my computer
Prevent access to drives from My Computer

There may be many other policies you may want to set for users in RDS environment, so consider creating a separate GPO for those settings.

Also if you don't want these policies applied to users when they work locally on their machines, then link the GPO only to the OU where your RD server is placed. Since these are user settings you should also enable loopback GP processing on RD server so that regular user policies get overwritten by special policies set for RD server.

Regards,
Tomislav
0
 

Author Comment

by:zelfanet
ID: 34390061
Tomislav,

That is exactly what I want to do. Can you explain to me the last paragraph, that is what I want to do.
0
 
LVL 7

Assisted Solution

by:tstritof
tstritof earned 500 total points
ID: 34394501
Hi,

here are my suggestions (I'll try to use full names on first use of any acronym so there's no confusion about what I'm referring to):

In Active Directory Users And Computers:

- create a separate organizational unit (OU) for your terminal server (TS) in Active Directory (AD) and move the terminal server to that OU (there should be no other computers in this OU other than terminal servers you want to apply the group policy (GP) to) - name it something like "Terminal Servers"

- create 2 new security groups in AD (this is not absolutely necessary but it helps in limiting the scope of the GP application) - name the first group "Terminal Servers" and add your terminal server to that group; name the second group something like "Restricted Terminal Server Users" and add your terminal server users that should have restricted access to local resources on TS to that group

In Group Policy Management:

- create a new group policy object (GPO) and name it "Terminal Servers Policy" and link it to the "Terminal Servers" OU you created earlier (you should be able to see it in Group Policy Management now)

- enable the following setting of this new GPO: Computer Configuration > Policies > Administrative Templates > System/Group Policy > User Group Policy loopback processing mode, set it to Replace (this will enforce that any GPOs normally applied to users get replaced with specific user policy defined for users when logging on to TS) and close the Group Policy Management Editor

- on the Scope tab for this GPO in Security Filtering add the security group "Terminal Servers" you created earlier

- create a new GPO and name it "Terminal Server User Restrictions", disable computer configuration settings on that GPO and link it to "Terminal Servers" OU

- edit all setings in User Configuration of this GPO that will restrict user access to local resources on terminal server

- after edditing the settings on the Scope tab of this GPO remove Authenticated Users from Secutity Filtering and add both "Terminal Servers" group and "Restricted Terminal Server Users" group

Enforce the group policy:

- log on to your terminal server as an administrator (not in the restricted group) and in elevated command prompt ("Run As Administrator") run the gpupdate command (or you could restart terminal server but it's not necessary, however the gpupdate won't have influence on active TS sessions)

- now try logging in to terminal server as one of your restricted users and check if the "lockdown" policy settings have been applied; also, check that when this restricted user logs on to their personal computer no "lockdown" is applied (so that TS restricted users can normally access their PCs)

The basic idea behind this is:
- specify user settins in resource lockdown policy
- apply this policy to your terminal server computers
- make sure that normal user settings are replaced by those in resource lockdown policy by activating the loopback policy processing

Hope this helps,

Regards,
Tomislav








0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
file name warning 4 39
DHCP scope restore question Server 2003 to 2012R2 6 59
RDS2012 vs RDS2008 4 38
NTFS Permissions 6 47
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question