Solved

Windows 7 - lock down local computer to RDP only

Posted on 2012-03-31
5
1,173 Views
Last Modified: 2012-04-01
I have a Windows 2003 domain with 2008 RDS servers and Windows 7 clients. What alternatives are there so that the Windows 7 workstations only allow users to run the TS client - in other words prevent users from getting access to the local system?
0
Comment
Question by:lineonecorp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 40

Expert Comment

by:footech
ID: 37790687
Try setting Group Policy under Computer Configuration | Windows Settings | Security Settings | Local Polices | User Rights Assignment.  Set "Deny log on locally" to Domain Users, and "Allow log on through Remote Desktop Services" to Domain Users.  You could change the groups to suit your needs.  Note that if you set "Deny log on locally" to Domain Users, this will apply to Domain Admins as well, and this setting has priority over "Allow log on locally".  Local users should still be able to log on though.
0
 

Author Comment

by:lineonecorp
ID: 37794014
Thanks for this. However as far as your note about local users, there should be none -  I don't want anybody logging onto the PC to have access to the local system whether they are Domain Users or not. What should happen is that anybody other than the Domain Admin/local admin who  turns the computer on will only see an RDP client icon and that's all they will be able to access on the system.
0
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 37794180
OK, scratch my last post.  I think I misunderstood your requirements.

What you're looking for is similar to how a RDS is locked down for users that access it remotely.  I'm not quite sure about the best way to approach this when talking about desktops.  Maybe using remote mandatory profiles but there might be too many hurdles to overcome depending on how many exceptions there are for when you want it to be used/applied.  The other way is through the use of a customized default profile that you will need to create on all the Win7 desktops through the use of sysprep (which you can configure to copy the Administrator's profile to be the default).

In either case you will then need to use Group Policy to lock down the workstations (I can't tell you all of the settings) to remove access to drives, deny access to context menus on the desktop and taskbar, remove elements from the start menu, etc.  I think you would have to use loopback policy processing to apply many of these user GP settings only on specific machines (i.e. the desktops), so that they don't apply to your RD sessions.  Sounds similar to a thin client scenario, but I've never used these, so I can't say how these are set up.
0
 

Author Comment

by:lineonecorp
ID: 37794218
Thanks for the additional inpu. I  wouldn't mind some more detailed information from someone who has tried this so I will close this question and post again.
0
 
LVL 40

Expert Comment

by:footech
ID: 37794264
Thanks for the points.  Keep in mind that if you need additional input you can also use the Request Attention button.

Best of luck.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question