Solved

Windows 7 RDS workstation - restrict to RDS only

Posted on 2012-04-01
8
973 Views
Last Modified: 2012-06-27
I am looking for a means of locking down Windows 7 workstations in a 2008 R2 RDS environment so that the only thing users can do is run the RDP client on it. What should happen is that when anybody turns the computer on is that at the end of the boot process they find themselves looking at an RDP client 'enter your login name' prompt. The users should have no access to the local system - only an administrator would be able to access any of the local resources. How would I go about doing this?
0
Comment
Question by:lineonecorp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 23

Assisted Solution

by:yo_bee
yo_bee earned 400 total points
ID: 37794324
I just did a search on the internet and found this link.
I have not tried this, so I would stand up a test OU with some test objects in it.

http://jaredheinrichs.com/how-to-turn-a-windows-7-pc-into-a-kiosk.html
0
 
LVL 23

Assisted Solution

by:yo_bee
yo_bee earned 400 total points
ID: 37794341
You will also probably  want to have RDP start-up at logon as well as placing the shortcut to RDP on the desktop as well.

The startup folder  is %systemdrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

User's desktop is %userprofile%\desktop
0
 
LVL 23

Assisted Solution

by:yo_bee
yo_bee earned 400 total points
ID: 37794381
For testing you can also try using RD WEB.
if you have this bat file placed in the start up folder listed above this might give you one more layer of lockdown.

iexplore.exe -k "URL"

example iexplore.exe -k  "https://InternalRDService/RDWEB"

You might want to remove the ability for standard users from using Ctrl + Alt + Del as well
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 21

Assisted Solution

by:Radhakrishnan R
Radhakrishnan R earned 100 total points
ID: 37794581
Hi,

Better suggestion would be ask the users to log off the machine once they finished as this is a default behavior for some security reasons. If the current user doesn't log off the current session and shutdown the machine, it will act as the machine is locked and will look for the latest authentication and it says locked and only admin privileged users can unlock it.
0
 

Author Comment

by:lineonecorp
ID: 37798034
Thanks for all the tips.

 yo_bee:

Yo write:

"For testing you can also try using RD WEB.
if you have this bat file placed in the start up folder listed above this might give you one more layer of lockdown.

iexplore.exe -k "URL"

example iexplore.exe -k  "https://InternalRDService/RDWEB"

**** Why would this be one extra layer of lockdown?

You might want to remove the ability for standard users from using Ctrl + Alt + Del as well

**** How? Group Policy?

++++
 radhakrishnan2007:
You write:
Better suggestion would be ask the users to log off the machine once they finished as this is a default behavior for some security reasons. If the current user doesn't log off the current session and shutdown the machine, it will act as the machine is locked and will look for the latest authentication and it says locked and only admin privileged users can unlock it.

**** How would I implement this?
0
 
LVL 23

Accepted Solution

by:
yo_bee earned 400 total points
ID: 37798816
Note this suggestion is to leverage Remote Desktop Web.  This is another feature that is not enabled by default when adding Remote Desktop Services Role.  You may need to go back to Roles and add this.


**** Why would this be one extra layer of lockdown? ****
By running this you are setting the webpage to a full screen (like pressing F11), but the users will not be able to exit the full screen mode.
By doing this you removing the user's ability to navigate out to another area of the computer.

**** How? Group Policy?
The reason for this part is to restrict the users from accessing Task Manager so they cannot end the IE process or start another application if they know how.

How to set this option in Group Policy.  First and for most you must be running in a Domain infrastructure and not work group to be deploy Group Policies.
You can set the computer policy if you are not in a Domain infrastructure, but you will need to access each computer one by one to make these changes.

To edit in Group Policy:
On a Domain Controller or a Server/Workstations that has RSAT run GPMC.MSC
On a computer that is not a member of a Domain use GPEDIT.MSC

The setting you are looking for is Ctrl + Alt + Del
This is located user User Configuration > Administrative Templates > System > Ctrl + Alt +Del > Remove Task Manager {enabled}

Remove Task Manager
0
 

Author Comment

by:lineonecorp
ID: 37817476
Thanks for the additional info. Let me give it a try and get back to you.
0
 

Author Comment

by:lineonecorp
ID: 37840539
Having trouble freeing up time. I will close and when I get around to this and have any further questions will post then.  Thanks.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question