Access to WIndows 2008 R2 RDS

Posted on 2011-03-24
Medium Priority
Last Modified: 2012-05-11
We have two RDS servers, same operating system, service packs, etc.  one is considered our backoffice with microsoft office, etc.  the other just has our POS software.  we want to restrict users that logon to the POS one from the Backoffice one and vice versa.  We have two security groups: TSUsers is for our backoffice and TSPOS is for our POS.  they are both apart of the Remote Desktop group.  The issue we are having is anyone in either of these groups can LOGON to the both servers.  I am thinking it is because both servers have Remote Desktop Users as a member (and in this group is both of our security groups).  I am thinking this needs to be removed as a member from both servers.  But not sure what members need to be on our terminal servers?  Besides Remote Desktop Users, We also have "Domain Computers (default)", "Terminal Server License Servers" and "RAS and IAS Servers" as members.  Should Remote Desktop users be a member of both servers?  Or Should just the TSUsers group be a member of the Backoffice and TSPOS group a member of the POS server?  I believe this is my problem as to why users in TSUsers can logon to my POS and vice versa.  thanks
Question by:MidCape
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 18

Accepted Solution

Netflo earned 2000 total points
ID: 35208452
Hi MidCape,

You can control who logs onto which TS via Group Policy or Local Group Policy on each TS.

Please see the attached link http://scorpiotek.com/blog/?p=742 where you can remove or add groups to control access.

I have used this method before for single or a few TS where this level of control is required.

Hope this helps.

Author Comment

ID: 35208521
Thanks for your response.  The problem we are having is we want to restrict the users in the TSUsers group from logging onto our POS terminal server, but they still need access to our Backoffice terminal server, and vice versa.  so they need to be apart of the remote desktop group and have access to logon to a remote desktop services.  we have this setup on our old terminal servers which are 2003.  On the server itself we do not have any members besides "domain computeres".  so remote desktop users is not a member of this server.  So we have TSUSERS and TSPOS members of Remote Desktop Users group and Remote Desktop user is a member of each of our 2008 R2 RDS servers.  So I think this may be why both groups can access both servers.  if we remove Remote Desktop users from the servers would everything still function and should we add TSUsers to our backoffice and TSPOS to our POS server?
LVL 18

Expert Comment

ID: 35208595
Yes you can remove the Remote Desktop Users group and set the groups you want to allow to logon. Ensure you have Administrators still there so you can get back on via RDP should anything not work as expected.
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Author Comment

ID: 35208686
thank you for your response.  I just wanted to make sure that Remote desktop users doesn't have to be a member of the server in order for users to logon to the terminal server.  I am sure we added this group in the begining, but now are live and don't want to mess things up by removing.  We will add the TSUsers to the Backoffice (allow with administrator) and same for TSPOS to the POS server.

I will give it a try.  thanks
LVL 18

Expert Comment

ID: 35208812
Try on one TS first, test, ensure you get the desired results before being bombarded with emails and calls. Let me know how you get on.
LVL 18

Expert Comment

ID: 35328003
Glad to have helped :)

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question