Remote Desktop Services Session Desktop - Hide Local Drives
Posted on 2013-11-01
We've just had a new Windows 2012 Server installed and I'm trying to get Remote Desktop Services set up on it.
The Roles have been added and I'm able to log on using RDWeb and I can publish Remote Apps or see a session desktop, so far so good.
We have no VPN at the moment so my ultimate plan is to set up a suite of applications on the RDS server so users can log in and access files remotely within a session desktop. The thing I need to figure out is how to restrict their access to network drives and not give them access to things like local drives and control panel.
I could use Remote App mode which I have tested successfully but even then at present they can navigate to the C:\ in the Open/Save dialogs.
My question is therefore, how can I properly restrict this access?
I understand it's all through group policy but I'm certainly no expert in this. I obviously don't want to restrict any actions for the actual domain administrator log on but would like to apply a GPO to this server only for remote desktop users.
Our DCs are Windows 2008 so I'm using GPO Management on 2008 to manage a 2012 server, this should work ok right?
I tried adding the server to an OU then applying the user policy in a GPO but this obviously didn't work. I'm just not sure the best way to apply the GPO to users but at the same time limit it to just this machine, is the Remote Desktop Users group something I should be looking at? Sounds obvious when I think now but it's a local group and I can't work out how to apply a GPO to it.
Any help appreciated.