Solved

microsoft rds server (terminal server) rights

Posted on 2010-11-30
3
1,161 Views
Last Modified: 2012-05-10
We have a Microsoft 2008 R2 server setup as a RDS server. It is working fine and the users are using it remotely. They can however see parts of the C drive. I want to restrict this, how can I do it.
0
Comment
Question by:zelfanet
  • 2
3 Comments
 
LVL 7

Accepted Solution

by:
tstritof earned 500 total points
ID: 34239110
Hi,

could you please be more specific?

Normal users need read access to C drive if they are running apps stored there. Also if your user's profiles or documents are stored locally on RDS in Users folder then access to C is also needed.

If you only want to hide/disable access to local drives in Windows Explorer & My Computer you can do that through Group Policy. Navigate to this GP container in GPO editor:

User Settings\Policies\Administrative Templates\Windows Components\Windows Explorer

and set these 2 policies:

Hide these specified drives in my computer
Prevent access to drives from My Computer

There may be many other policies you may want to set for users in RDS environment, so consider creating a separate GPO for those settings.

Also if you don't want these policies applied to users when they work locally on their machines, then link the GPO only to the OU where your RD server is placed. Since these are user settings you should also enable loopback GP processing on RD server so that regular user policies get overwritten by special policies set for RD server.

Regards,
Tomislav
0
 

Author Comment

by:zelfanet
ID: 34390061
Tomislav,

That is exactly what I want to do. Can you explain to me the last paragraph, that is what I want to do.
0
 
LVL 7

Assisted Solution

by:tstritof
tstritof earned 500 total points
ID: 34394501
Hi,

here are my suggestions (I'll try to use full names on first use of any acronym so there's no confusion about what I'm referring to):

In Active Directory Users And Computers:

- create a separate organizational unit (OU) for your terminal server (TS) in Active Directory (AD) and move the terminal server to that OU (there should be no other computers in this OU other than terminal servers you want to apply the group policy (GP) to) - name it something like "Terminal Servers"

- create 2 new security groups in AD (this is not absolutely necessary but it helps in limiting the scope of the GP application) - name the first group "Terminal Servers" and add your terminal server to that group; name the second group something like "Restricted Terminal Server Users" and add your terminal server users that should have restricted access to local resources on TS to that group

In Group Policy Management:

- create a new group policy object (GPO) and name it "Terminal Servers Policy" and link it to the "Terminal Servers" OU you created earlier (you should be able to see it in Group Policy Management now)

- enable the following setting of this new GPO: Computer Configuration > Policies > Administrative Templates > System/Group Policy > User Group Policy loopback processing mode, set it to Replace (this will enforce that any GPOs normally applied to users get replaced with specific user policy defined for users when logging on to TS) and close the Group Policy Management Editor

- on the Scope tab for this GPO in Security Filtering add the security group "Terminal Servers" you created earlier

- create a new GPO and name it "Terminal Server User Restrictions", disable computer configuration settings on that GPO and link it to "Terminal Servers" OU

- edit all setings in User Configuration of this GPO that will restrict user access to local resources on terminal server

- after edditing the settings on the Scope tab of this GPO remove Authenticated Users from Secutity Filtering and add both "Terminal Servers" group and "Restricted Terminal Server Users" group

Enforce the group policy:

- log on to your terminal server as an administrator (not in the restricted group) and in elevated command prompt ("Run As Administrator") run the gpupdate command (or you could restart terminal server but it's not necessary, however the gpupdate won't have influence on active TS sessions)

- now try logging in to terminal server as one of your restricted users and check if the "lockdown" policy settings have been applied; also, check that when this restricted user logs on to their personal computer no "lockdown" is applied (so that TS restricted users can normally access their PCs)

The basic idea behind this is:
- specify user settins in resource lockdown policy
- apply this policy to your terminal server computers
- make sure that normal user settings are replaced by those in resource lockdown policy by activating the loopback policy processing

Hope this helps,

Regards,
Tomislav








0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Normally after a failure of Domain Controller, when promoting new DC the DC is renamed, we will discuss the options in Dcpromo to re-create the DC with the same name. Scenario: You are a small IT shop with two Domain Controllers (Domain Contr…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question