Access to WIndows 2008 R2 RDS

Posted on 2011-03-24
Last Modified: 2012-05-11
We have two RDS servers, same operating system, service packs, etc.  one is considered our backoffice with microsoft office, etc.  the other just has our POS software.  we want to restrict users that logon to the POS one from the Backoffice one and vice versa.  We have two security groups: TSUsers is for our backoffice and TSPOS is for our POS.  they are both apart of the Remote Desktop group.  The issue we are having is anyone in either of these groups can LOGON to the both servers.  I am thinking it is because both servers have Remote Desktop Users as a member (and in this group is both of our security groups).  I am thinking this needs to be removed as a member from both servers.  But not sure what members need to be on our terminal servers?  Besides Remote Desktop Users, We also have "Domain Computers (default)", "Terminal Server License Servers" and "RAS and IAS Servers" as members.  Should Remote Desktop users be a member of both servers?  Or Should just the TSUsers group be a member of the Backoffice and TSPOS group a member of the POS server?  I believe this is my problem as to why users in TSUsers can logon to my POS and vice versa.  thanks
Question by:MidCape
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 18

Accepted Solution

Netflo earned 500 total points
ID: 35208452
Hi MidCape,

You can control who logs onto which TS via Group Policy or Local Group Policy on each TS.

Please see the attached link where you can remove or add groups to control access.

I have used this method before for single or a few TS where this level of control is required.

Hope this helps.

Author Comment

ID: 35208521
Thanks for your response.  The problem we are having is we want to restrict the users in the TSUsers group from logging onto our POS terminal server, but they still need access to our Backoffice terminal server, and vice versa.  so they need to be apart of the remote desktop group and have access to logon to a remote desktop services.  we have this setup on our old terminal servers which are 2003.  On the server itself we do not have any members besides "domain computeres".  so remote desktop users is not a member of this server.  So we have TSUSERS and TSPOS members of Remote Desktop Users group and Remote Desktop user is a member of each of our 2008 R2 RDS servers.  So I think this may be why both groups can access both servers.  if we remove Remote Desktop users from the servers would everything still function and should we add TSUsers to our backoffice and TSPOS to our POS server?
LVL 18

Expert Comment

ID: 35208595
Yes you can remove the Remote Desktop Users group and set the groups you want to allow to logon. Ensure you have Administrators still there so you can get back on via RDP should anything not work as expected.
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!


Author Comment

ID: 35208686
thank you for your response.  I just wanted to make sure that Remote desktop users doesn't have to be a member of the server in order for users to logon to the terminal server.  I am sure we added this group in the begining, but now are live and don't want to mess things up by removing.  We will add the TSUsers to the Backoffice (allow with administrator) and same for TSPOS to the POS server.

I will give it a try.  thanks
LVL 18

Expert Comment

ID: 35208812
Try on one TS first, test, ensure you get the desired results before being bombarded with emails and calls. Let me know how you get on.
LVL 18

Expert Comment

ID: 35328003
Glad to have helped :)

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question