Solved

microsoft rds server (terminal server) rights

Posted on 2010-11-30
3
1,151 Views
Last Modified: 2012-05-10
We have a Microsoft 2008 R2 server setup as a RDS server. It is working fine and the users are using it remotely. They can however see parts of the C drive. I want to restrict this, how can I do it.
0
Comment
Question by:zelfanet
  • 2
3 Comments
 
LVL 7

Accepted Solution

by:
tstritof earned 500 total points
Comment Utility
Hi,

could you please be more specific?

Normal users need read access to C drive if they are running apps stored there. Also if your user's profiles or documents are stored locally on RDS in Users folder then access to C is also needed.

If you only want to hide/disable access to local drives in Windows Explorer & My Computer you can do that through Group Policy. Navigate to this GP container in GPO editor:

User Settings\Policies\Administrative Templates\Windows Components\Windows Explorer

and set these 2 policies:

Hide these specified drives in my computer
Prevent access to drives from My Computer

There may be many other policies you may want to set for users in RDS environment, so consider creating a separate GPO for those settings.

Also if you don't want these policies applied to users when they work locally on their machines, then link the GPO only to the OU where your RD server is placed. Since these are user settings you should also enable loopback GP processing on RD server so that regular user policies get overwritten by special policies set for RD server.

Regards,
Tomislav
0
 

Author Comment

by:zelfanet
Comment Utility
Tomislav,

That is exactly what I want to do. Can you explain to me the last paragraph, that is what I want to do.
0
 
LVL 7

Assisted Solution

by:tstritof
tstritof earned 500 total points
Comment Utility
Hi,

here are my suggestions (I'll try to use full names on first use of any acronym so there's no confusion about what I'm referring to):

In Active Directory Users And Computers:

- create a separate organizational unit (OU) for your terminal server (TS) in Active Directory (AD) and move the terminal server to that OU (there should be no other computers in this OU other than terminal servers you want to apply the group policy (GP) to) - name it something like "Terminal Servers"

- create 2 new security groups in AD (this is not absolutely necessary but it helps in limiting the scope of the GP application) - name the first group "Terminal Servers" and add your terminal server to that group; name the second group something like "Restricted Terminal Server Users" and add your terminal server users that should have restricted access to local resources on TS to that group

In Group Policy Management:

- create a new group policy object (GPO) and name it "Terminal Servers Policy" and link it to the "Terminal Servers" OU you created earlier (you should be able to see it in Group Policy Management now)

- enable the following setting of this new GPO: Computer Configuration > Policies > Administrative Templates > System/Group Policy > User Group Policy loopback processing mode, set it to Replace (this will enforce that any GPOs normally applied to users get replaced with specific user policy defined for users when logging on to TS) and close the Group Policy Management Editor

- on the Scope tab for this GPO in Security Filtering add the security group "Terminal Servers" you created earlier

- create a new GPO and name it "Terminal Server User Restrictions", disable computer configuration settings on that GPO and link it to "Terminal Servers" OU

- edit all setings in User Configuration of this GPO that will restrict user access to local resources on terminal server

- after edditing the settings on the Scope tab of this GPO remove Authenticated Users from Secutity Filtering and add both "Terminal Servers" group and "Restricted Terminal Server Users" group

Enforce the group policy:

- log on to your terminal server as an administrator (not in the restricted group) and in elevated command prompt ("Run As Administrator") run the gpupdate command (or you could restart terminal server but it's not necessary, however the gpupdate won't have influence on active TS sessions)

- now try logging in to terminal server as one of your restricted users and check if the "lockdown" policy settings have been applied; also, check that when this restricted user logs on to their personal computer no "lockdown" is applied (so that TS restricted users can normally access their PCs)

The basic idea behind this is:
- specify user settins in resource lockdown policy
- apply this policy to your terminal server computers
- make sure that normal user settings are replaced by those in resource lockdown policy by activating the loopback policy processing

Hope this helps,

Regards,
Tomislav








0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

I was asked if I could set up a fax machine so that incoming faxes were delivered to people's Exchange inboxes and so that they could send faxes from their desktops without needing to print the document first.  I knew it was possible but I had no id…
Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now