Limiting Access once logged in to Remote Desktop on Windows 2008 Server

Posted on 2011-04-27
Last Modified: 2012-05-11
I've configured a Windows 2008 Enterprise server in the active directory and I want to give remote workers the ability to login and use this server - but to a limited degree.

I want:

1 - To block them from directly accessing the C drive

2 - Allow them to run CERTAIN programs installed on the D Drive (Open Office, Textpad, and about 10 other apps)

3 - Let them access their own data ("My Documents" on the E: drive)

4 - Let them access certain folders on the "F" drive (shared folders)

I do NOT want them installing (or uninstalling) any apps

I do NOT want them screwing with anything on the server ;)

I've gone through a lot of posts which talked about restricting access to just one app.  That's not what I'm doing here.  Basically, I want them to be a "user" but not a "power user" / "admin"

... and that said, if we encounter a program that will not function because they don't have enough rights to it, how would I tweak so they could have more rights just to that one app?

The ideal setup would be a Group with all the right permissions and rights, and just drop them all in that group.

Thanks  !!!
Question by:drgdrg
    LVL 21

    Accepted Solution

    1. Create a security group in AD and assign users to this group.
    2. Add these users to the local Remote Desktop Users group on the server (using Group Policy if you can).

    Now these users will only be standard users on the server but can remote in. Assign them permissions as they need it.
    LVL 1

    Author Comment

    Right - that's what I was planning above...

    >>> The ideal setup would be a Group with all the right permissions and rights, and just drop them all in that group.

    What I don't know is this - once that group is set up, how to I restrict them to certain drives and certain programs?

    If I remove their access to the C: drive, will they not be able to work at all (i.e., because they won't have access to the O/S) or is O/S "usage" automatic and covered, even if I block their user account from C: ?
    LVL 21

    Assisted Solution

    by:Joseph Moody
    If they are standard users, they can't "mess" anything up. They will only have read/execute by default.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now