Limiting Access once logged in to Remote Desktop on Windows 2008 Server

Posted on 2011-04-27
Medium Priority
Last Modified: 2012-05-11
I've configured a Windows 2008 Enterprise server in the active directory and I want to give remote workers the ability to login and use this server - but to a limited degree.

I want:

1 - To block them from directly accessing the C drive

2 - Allow them to run CERTAIN programs installed on the D Drive (Open Office, Textpad, and about 10 other apps)

3 - Let them access their own data ("My Documents" on the E: drive)

4 - Let them access certain folders on the "F" drive (shared folders)

I do NOT want them installing (or uninstalling) any apps

I do NOT want them screwing with anything on the server ;)

I've gone through a lot of posts which talked about restricting access to just one app.  That's not what I'm doing here.  Basically, I want them to be a "user" but not a "power user" / "admin"

... and that said, if we encounter a program that will not function because they don't have enough rights to it, how would I tweak so they could have more rights just to that one app?

The ideal setup would be a Group with all the right permissions and rights, and just drop them all in that group.

Thanks  !!!
Question by:drgdrg
  • 2
LVL 22

Accepted Solution

Joseph Moody earned 2000 total points
ID: 35476561
1. Create a security group in AD and assign users to this group.
2. Add these users to the local Remote Desktop Users group on the server (using Group Policy if you can).

Now these users will only be standard users on the server but can remote in. Assign them permissions as they need it.

Author Comment

ID: 35476608
Right - that's what I was planning above...

>>> The ideal setup would be a Group with all the right permissions and rights, and just drop them all in that group.

What I don't know is this - once that group is set up, how to I restrict them to certain drives and certain programs?

If I remove their access to the C: drive, will they not be able to work at all (i.e., because they won't have access to the O/S) or is O/S "usage" automatic and covered, even if I block their user account from C: ?
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 2000 total points
ID: 35476636
If they are standard users, they can't "mess" anything up. They will only have read/execute by default.

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question