Solved

Remote Desktop Services Session Desktop - Hide Local Drives

Posted on 2013-11-01
21
8,278 Views
Last Modified: 2013-11-08
We've just had a new Windows 2012 Server installed and I'm trying to get Remote Desktop Services set up on it.

The Roles have been added and I'm able to log on using RDWeb and I can publish Remote Apps or see a session desktop, so far so good.

We have no VPN at the moment so my ultimate plan is to set up a suite of applications on the RDS server so users can log in and access files remotely within a session desktop. The thing I need to figure out is how to restrict their access to network drives and not give them access to things like local drives and control panel.

I could use Remote App mode which I have tested successfully but even then at present they can navigate to the C:\ in the Open/Save dialogs.

My question is therefore, how can I properly restrict this access?

I understand it's all through group policy but I'm certainly no expert in this. I obviously don't want to restrict any actions for the actual domain administrator log on but would like to apply a GPO to this server only for remote desktop users.

Our DCs are Windows 2008 so I'm using GPO Management on 2008 to manage a 2012 server, this should work ok right?

I tried adding the server to an OU then applying the user policy in a GPO but this obviously didn't work. I'm just not sure the best way to apply the GPO to users but at the same time limit it to just this machine, is the Remote Desktop Users group something I should be looking at? Sounds obvious when I think now but it's a local group and I can't work out how to apply a GPO to it.

Any help appreciated.
0
Comment
Question by:hfcit
  • 12
  • 9
21 Comments
 

Author Comment

by:hfcit
ID: 39616724
UPDATE:

I've added an new OU and moved the RDS server to it. I've created a new GPO and linked it here and configured the policies including the loopback setting, in fact I followed these instructions...

http://nikoscloud.wordpress.com/2013/04/23/how-to-secure-your-remote-desktop-server-with-gpo/

I added a user to the group Remote Desktop Users and filtered the GPO to this group but I've still got nothing. I must be missing something obvious, help.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39616995
Hi.

Set ACLs on local drives/folders. It is not possible not to show those drives - but they won't be able to access them.
As for network drives: apply firewall rules.
Control panel: leave it as is - not useful to restrict it as users cannot do system wide changes anyway.
0
 

Author Comment

by:hfcit
ID: 39629065
Thanks, I might try that but I know it is possible to hide the drives, at least from Explorer.

I guess my question is now more Group Policy than RDS.

The Administrative Template for Windows Explorer has an entry "Hide these drives from Windows Explorer". It's that I want to set but for some reason it's not applying on the new Windows 2012 server.

Is there something I need to do to get it to apply? Also when RDS users log on, should the GPO be filtered to their user account or a generic Remote Users or TS account?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39629550
Please tell us: would you want to block access or would you like to hide. Or both?
Hiding alone (using the policies you mention) does not mean they cannot access those drives as the policies' descriptions clearly state.
0
 

Author Comment

by:hfcit
ID: 39629575
Well there's also "Prevent access to the following drives..." but no, hiding is fine.

I can set the permissions, and besides I'd imagine that they would need some access somewhere in the background in order from programs to run in the first place. I just want to prevent accidental saving of documents to local drives on the server and make it as easy as possible to correctly save to and open from network drives.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39629619
I see.

Please explain: "Hide these drives from Windows Explorer". It's that I want to set but for some reason it's not applying on the new Windows 2012 server" - how does that not-applying look like? Does rsop.msc say it is applied, or not?
0
 

Author Comment

by:hfcit
ID: 39629653
No it doesn't.

It's reporting other GPOs applied to the Users OU correctly, I have one for Site to Zone Assignment in IE, and another that creates a shortcut on certain users desktops which is working correctly when logging onto RDWeb.

The only difference at the moment is that the RDS policy that I've set up to disable control panel and hide drives is set to the OU that I've set up for the server then filtered by user, in this instance just me. Could this be where it's going wrong? Is it possible to add a GPO to the Users OU but only have it apply to remote users logging on to this specific server?

Forgive my ignorance, I'm fairly new to group policy, thought I had it sussed but obviously not, I'm working on it.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39629674
User config settings of policies apply only to user objects, computer config settings to computer objects... that said, is your setting linked correctly?
0
 

Author Comment

by:hfcit
ID: 39629766
As far as I'm aware, yes.

The complete summary is as follows.

I have a server sat on it's own in an OU called Member Servers.
A GPO called Remote Desktop Policy is linked to this OU - reports as such in the Scope tab.
The GPO is applied only to my network account using the Security Filtering section of the scope tab.
The GPO contains Computer Configuration and User Configuration Policies.

It's the User policies that I want though I understand now that they won't apply to computer objects but to test it I added a Computer Configuration policy in Windows Settings>Security Settings>Event Log>Maximum Application Log Size.
RSOP does not report this setting as applied, it still states "Not Defined" when I drill down through the results.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39629857
After changing settings, the computer will apply them
-every 90 minutes
-at reboot
-after a manually executed command gpupdate /force /target:computer [attention: needs to be executed elevated]

the user will apply settings at next logon, every 90 mins or after gpupdate /force /target:user as well.

So please do gpupdate.
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 

Author Comment

by:hfcit
ID: 39629950
gpupdate ran ok but I'm not seeing any change.

According to RSOP my test policy is not applied on either the actual desktop login of administrator or the remote desktop using my account and RDWeb.

I've filtered it to my account so I'd expect the first but I'm still unsure why the second doesn't seem to work.

Could it be that I'm asking it to do something which isn't possible? i.e. apply settings to a computer but only when a certain user is logged on remotely? Does the actual desktop login take precedence? If the computer configuration only applies at reboot, when I log in using RDS it doesn't then apply.

I know that GPOs are being applied, when logging in using RDWeb I see Applying Group Policy (or similar) appear after preparing your desktop etc.

GPOs that are linked to the Users OU seem to work. Is that worth pursuing? can I create a GPO in an OU containing users and filter it to only apply to those logging on to this server? remotely or otherwise?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39630015
>  i.e. apply settings to a computer but only when a certain user is logged on remotely?
Right, that is not possible. The other way round, apply settings to a user, only when that user is logged on to a dedicated computer, that's possible and is called GPO loopback processing mode, but not this way round.
0
 

Author Comment

by:hfcit
ID: 39630486
Sure, the second one is fine.

I've read a solution involving Loopback processing mode and that is already enabled on the RDS test GPO that I've used.

Server is in Member Servers OU
GPO "Remote Desktop Policy" is linked here
GPO filtered to just apply to my network account
GPO contains Computer Configuration>Policies>Administrative Templates>System>Group Policy>User Group Policy Loopback Processing Mode

I thought I had it but I'm obviously not using it correctly.

If I apply the settings to my user account, how do I get it to only apply to that specific computer/server?
0
 

Author Comment

by:hfcit
ID: 39630545
If I remove the filtering and add "authenticated users" I get the computer configuration when logging on remotely with my account but I also get it locally with the administrators account, I the settings appear in RSOP on both desktops.

It seems to be applying the computer configuration to all users but as soon as I put the filtering back on and pick a specific account, it stops working.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39631767
Sorry, reading back and forth I lose track. You should sum it up again while I try to clear it up once more. Please try to ask one question by one or I cannot follow, I'm afraid.

> If I apply the settings to my user account, how do I get it to only apply to that specific computer/server?
Please use the terms computer config and user config and tell me where it is linked to: user objects or computers? The question I quoted is not clear at all.
0
 

Author Comment

by:hfcit
ID: 39633243
The question above should then read...

If I apply the user config to an OU containing my account object, how can I get it to apply only to one specific computer, i.e. the server hosting Remote Desktop Services?
0
 

Author Comment

by:hfcit
ID: 39633259
So there's no confusion I'll summarise it again.

Server is in "Member Servers" OU
GPO "Remote Desktop Policy" is linked to this OU and enabled
GPO contains Computer Config including User Group Policy Loopback Processing Mode
GPO contains User Config including Hide These Drives & Prohibit Access to the Control Panel

When the security filtering for the GPO is applied to "Authenticated Users", the computer config is applied, but at present the User Config is not.

When the security filtering for the GPO is applied to an individual account or group neither the Computer Config nor User Config is applied.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39633361
Whenever a server applies the GPO with the loopback setting, from then on, the GPOs normally applying to the users that logon will no longer be applied but instead the user settings of the policy with the loopback setting. This policy needs to be linked to the OU with the server in it.

That's all I can help out with.
0
 

Author Comment

by:hfcit
ID: 39633403
That's exactly what I've done.

The problem is that I can't seem to then filter it to apply to everyone but the administrator. The security filtering isn't working to the point that nothing gets applied when I use it. When I don't the GPO is applied, but to everyone logging on, administrator included.

Thanks anyway.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 39633519
I see.
But you could use MLGPOs right at the Server for your hiding. Those can be set to only apply to certain Groups of users. http://technet.microsoft.com/de-de/library/cc766291(v=ws.10).aspx
0
 

Author Comment

by:hfcit
ID: 39633823
Thanks, that looks like it might work, I'll look into it.

Everything's working now but only for "Authenticated Users", never mind.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now