Solved

Terminal Services Manager

Posted on 2013-06-17
7
134 Views
Last Modified: 2014-06-10
So, I have a 2008 R2 terminal server.  It is also a domain controller. There are about 40 users connecting to it. 36 of them are lower level users and 4 of them are senior management.  I have a user that will be assisting with supporting the 4 senior management users via terminal service manager or RD session manager as it is called in 2008.  Here's the catch, when they open terminal services manager, that user can see ALL of the users connected to the server and can send them messages or shadow them etc...  I do not want this user to SEE any of the users in the lower level OU, just the users in the senior management OU.  There are various reasons for this that I won't get into and I know that I can set permissions on whether you need to require permissions to shadow another user, but what I need is a way to hide the lower level users from this support person and only allow him to see the sessions of the users in that specific OU.  Any ideas???
0
Comment
Question by:nunyadamnbidness
  • 3
  • 2
7 Comments
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 39255342
Sorry, that's not possible with RDS. You can only delegate what a user can do on the session host, but not for which users he's allowed to do this.
So if you really, really need this, you'll need to create your own RDS management application (with Visual Studio, HTA, Powershell, whatever) that only displays the sessions based on the session user's group membership or AD location.
Note that this will still not prevent the delegated admin from using the default MMC, command line tools like query.exe, or his own scripts to access other sessions, because he'll still be allowed to do with all session whatever he is allowed to do with the senior management OU.
0
 

Author Comment

by:nunyadamnbidness
ID: 39256787
Thanks for the info. How about a 3rd party application. Have you heard of any?  Anything to accomplish what I am trying to do.
0
 

Author Comment

by:nunyadamnbidness
ID: 39258320
Does anyone know of a way to accomplish this, such as VNC or other.  The main problem I see is remoting from the server to another session on the same terminal server.  Any Ideas???
0
 
LVL 83

Expert Comment

by:oBdA
ID: 39258534
Nope, sorry, I don't know of any such application, which is why I suggested to create your own; this requirement is probably a bit too specific. With Citrix, you can specify which users are allowed to shadow which users, but the rest of the session control (view, logoff, ...) can only be delegated for all sessions in the farm as well, not depending on the targeted users.
What exactly is it that you want the supporting users (to be able) to actually do? So far, you've only said what you don't want them to do.
0
 

Author Comment

by:nunyadamnbidness
ID: 39260612
Thanks I want them to be able to shadow other users for desktop support, but only users within the certain OU and not another OU.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
pdf convertor 7 65
Compromised PC? 17 173
HP  Pavilion g4 Laptop can't find media for factory restore 6 32
Is there a driver update utility? 8 44
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now