Access to WIndows 2008 R2 RDS

Posted on 2011-03-24
Last Modified: 2012-05-11
We have two RDS servers, same operating system, service packs, etc.  one is considered our backoffice with microsoft office, etc.  the other just has our POS software.  we want to restrict users that logon to the POS one from the Backoffice one and vice versa.  We have two security groups: TSUsers is for our backoffice and TSPOS is for our POS.  they are both apart of the Remote Desktop group.  The issue we are having is anyone in either of these groups can LOGON to the both servers.  I am thinking it is because both servers have Remote Desktop Users as a member (and in this group is both of our security groups).  I am thinking this needs to be removed as a member from both servers.  But not sure what members need to be on our terminal servers?  Besides Remote Desktop Users, We also have "Domain Computers (default)", "Terminal Server License Servers" and "RAS and IAS Servers" as members.  Should Remote Desktop users be a member of both servers?  Or Should just the TSUsers group be a member of the Backoffice and TSPOS group a member of the POS server?  I believe this is my problem as to why users in TSUsers can logon to my POS and vice versa.  thanks
Question by:MidCape
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 18

Accepted Solution

Netflo earned 500 total points
ID: 35208452
Hi MidCape,

You can control who logs onto which TS via Group Policy or Local Group Policy on each TS.

Please see the attached link where you can remove or add groups to control access.

I have used this method before for single or a few TS where this level of control is required.

Hope this helps.

Author Comment

ID: 35208521
Thanks for your response.  The problem we are having is we want to restrict the users in the TSUsers group from logging onto our POS terminal server, but they still need access to our Backoffice terminal server, and vice versa.  so they need to be apart of the remote desktop group and have access to logon to a remote desktop services.  we have this setup on our old terminal servers which are 2003.  On the server itself we do not have any members besides "domain computeres".  so remote desktop users is not a member of this server.  So we have TSUSERS and TSPOS members of Remote Desktop Users group and Remote Desktop user is a member of each of our 2008 R2 RDS servers.  So I think this may be why both groups can access both servers.  if we remove Remote Desktop users from the servers would everything still function and should we add TSUsers to our backoffice and TSPOS to our POS server?
LVL 18

Expert Comment

ID: 35208595
Yes you can remove the Remote Desktop Users group and set the groups you want to allow to logon. Ensure you have Administrators still there so you can get back on via RDP should anything not work as expected.
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!


Author Comment

ID: 35208686
thank you for your response.  I just wanted to make sure that Remote desktop users doesn't have to be a member of the server in order for users to logon to the terminal server.  I am sure we added this group in the begining, but now are live and don't want to mess things up by removing.  We will add the TSUsers to the Backoffice (allow with administrator) and same for TSPOS to the POS server.

I will give it a try.  thanks
LVL 18

Expert Comment

ID: 35208812
Try on one TS first, test, ensure you get the desired results before being bombarded with emails and calls. Let me know how you get on.
LVL 18

Expert Comment

ID: 35328003
Glad to have helped :)

Featured Post

Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question