Access to WIndows 2008 R2 RDS

Posted on 2011-03-24
Last Modified: 2012-05-11
We have two RDS servers, same operating system, service packs, etc.  one is considered our backoffice with microsoft office, etc.  the other just has our POS software.  we want to restrict users that logon to the POS one from the Backoffice one and vice versa.  We have two security groups: TSUsers is for our backoffice and TSPOS is for our POS.  they are both apart of the Remote Desktop group.  The issue we are having is anyone in either of these groups can LOGON to the both servers.  I am thinking it is because both servers have Remote Desktop Users as a member (and in this group is both of our security groups).  I am thinking this needs to be removed as a member from both servers.  But not sure what members need to be on our terminal servers?  Besides Remote Desktop Users, We also have "Domain Computers (default)", "Terminal Server License Servers" and "RAS and IAS Servers" as members.  Should Remote Desktop users be a member of both servers?  Or Should just the TSUsers group be a member of the Backoffice and TSPOS group a member of the POS server?  I believe this is my problem as to why users in TSUsers can logon to my POS and vice versa.  thanks
Question by:MidCape
  • 4
  • 2
LVL 18

Accepted Solution

Netflo earned 500 total points
ID: 35208452
Hi MidCape,

You can control who logs onto which TS via Group Policy or Local Group Policy on each TS.

Please see the attached link where you can remove or add groups to control access.

I have used this method before for single or a few TS where this level of control is required.

Hope this helps.

Author Comment

ID: 35208521
Thanks for your response.  The problem we are having is we want to restrict the users in the TSUsers group from logging onto our POS terminal server, but they still need access to our Backoffice terminal server, and vice versa.  so they need to be apart of the remote desktop group and have access to logon to a remote desktop services.  we have this setup on our old terminal servers which are 2003.  On the server itself we do not have any members besides "domain computeres".  so remote desktop users is not a member of this server.  So we have TSUSERS and TSPOS members of Remote Desktop Users group and Remote Desktop user is a member of each of our 2008 R2 RDS servers.  So I think this may be why both groups can access both servers.  if we remove Remote Desktop users from the servers would everything still function and should we add TSUsers to our backoffice and TSPOS to our POS server?
LVL 18

Expert Comment

ID: 35208595
Yes you can remove the Remote Desktop Users group and set the groups you want to allow to logon. Ensure you have Administrators still there so you can get back on via RDP should anything not work as expected.
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 35208686
thank you for your response.  I just wanted to make sure that Remote desktop users doesn't have to be a member of the server in order for users to logon to the terminal server.  I am sure we added this group in the begining, but now are live and don't want to mess things up by removing.  We will add the TSUsers to the Backoffice (allow with administrator) and same for TSPOS to the POS server.

I will give it a try.  thanks
LVL 18

Expert Comment

ID: 35208812
Try on one TS first, test, ensure you get the desired results before being bombarded with emails and calls. Let me know how you get on.
LVL 18

Expert Comment

ID: 35328003
Glad to have helped :)

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now