Solved

Access to WIndows 2008 R2 RDS

Posted on 2011-03-24
6
324 Views
Last Modified: 2012-05-11
We have two RDS servers, same operating system, service packs, etc.  one is considered our backoffice with microsoft office, etc.  the other just has our POS software.  we want to restrict users that logon to the POS one from the Backoffice one and vice versa.  We have two security groups: TSUsers is for our backoffice and TSPOS is for our POS.  they are both apart of the Remote Desktop group.  The issue we are having is anyone in either of these groups can LOGON to the both servers.  I am thinking it is because both servers have Remote Desktop Users as a member (and in this group is both of our security groups).  I am thinking this needs to be removed as a member from both servers.  But not sure what members need to be on our terminal servers?  Besides Remote Desktop Users, We also have "Domain Computers (default)", "Terminal Server License Servers" and "RAS and IAS Servers" as members.  Should Remote Desktop users be a member of both servers?  Or Should just the TSUsers group be a member of the Backoffice and TSPOS group a member of the POS server?  I believe this is my problem as to why users in TSUsers can logon to my POS and vice versa.  thanks
0
Comment
Question by:MidCape
  • 4
  • 2
6 Comments
 
LVL 18

Accepted Solution

by:
Netflo earned 500 total points
ID: 35208452
Hi MidCape,

You can control who logs onto which TS via Group Policy or Local Group Policy on each TS.

Please see the attached link http://scorpiotek.com/blog/?p=742 where you can remove or add groups to control access.

I have used this method before for single or a few TS where this level of control is required.

Hope this helps.
0
 

Author Comment

by:MidCape
ID: 35208521
Thanks for your response.  The problem we are having is we want to restrict the users in the TSUsers group from logging onto our POS terminal server, but they still need access to our Backoffice terminal server, and vice versa.  so they need to be apart of the remote desktop group and have access to logon to a remote desktop services.  we have this setup on our old terminal servers which are 2003.  On the server itself we do not have any members besides "domain computeres".  so remote desktop users is not a member of this server.  So we have TSUSERS and TSPOS members of Remote Desktop Users group and Remote Desktop user is a member of each of our 2008 R2 RDS servers.  So I think this may be why both groups can access both servers.  if we remove Remote Desktop users from the servers would everything still function and should we add TSUsers to our backoffice and TSPOS to our POS server?
0
 
LVL 18

Expert Comment

by:Netflo
ID: 35208595
Yes you can remove the Remote Desktop Users group and set the groups you want to allow to logon. Ensure you have Administrators still there so you can get back on via RDP should anything not work as expected.
0
 

Author Comment

by:MidCape
ID: 35208686
thank you for your response.  I just wanted to make sure that Remote desktop users doesn't have to be a member of the server in order for users to logon to the terminal server.  I am sure we added this group in the begining, but now are live and don't want to mess things up by removing.  We will add the TSUsers to the Backoffice (allow with administrator) and same for TSPOS to the POS server.

I will give it a try.  thanks
0
 
LVL 18

Expert Comment

by:Netflo
ID: 35208812
Try on one TS first, test, ensure you get the desired results before being bombarded with emails and calls. Let me know how you get on.
0
 
LVL 18

Expert Comment

by:Netflo
ID: 35328003
Glad to have helped :)
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now