Solved

Remote desktop user control SBS 2011

Posted on 2013-11-27
17
487 Views
Last Modified: 2014-01-09
Hi there, I want to setup the remote desktop users so they can only run one icon and have no access to the rest of the server?
0
Comment
Question by:grovenetsupport
  • 7
  • 5
  • 3
  • +1
17 Comments
 
LVL 6

Expert Comment

by:donnk
ID: 39680515
do you mean you want them to control their PC remotely via a single desktop icon ?
0
 

Author Comment

by:grovenetsupport
ID: 39680520
No when they logon to the remote desktop they can only see and use one icon on the server i.e. Sage accounts and see nothing else
0
 
LVL 6

Expert Comment

by:donnk
ID: 39680527
ok, so you are letting users logon to the actual server console using remote desktop ?

This is not a good idea for many reasons. RWW in SBS is designed for the user to remote control their own desktop, you can then lock this desktop down like are wanting to using GPO's.
0
 

Author Comment

by:grovenetsupport
ID: 39680539
I need as above as they don't have a PC for them to logon to. The RDP works fine I just want to lock them out to only use one program?
0
 
LVL 6

Expert Comment

by:donnk
ID: 39680545
My advice would be to run a VM of windows 7 on the server using something like virtualbox or vm workstation, join it to the doman and let the user/s connect to that.

You are never going to be able to lock down the server to run sage as it will require access to the C drive to run which means the user will have full access as well. Very bad idea on many many levels. User accidentally shutting down the server for example instead of logging off.
0
 

Author Comment

by:grovenetsupport
ID: 39680553
This is the whole point of locking him out of everything bar logoff an one program this can be done so will wait for more advice. We have done it before on earlier versions of SBS
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39682032
You are also violating the SBS licensing agreement.  Remote access to the server is for management/administration of the server only.  Remote access to use the server to run applications is not allowed, nor is the server optimized for doing so, not to mention the security risks.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39682126
Sometimes "you can't do that" is the correct answer.

You could create a user account that has only one icon on the desktop but as donnk has pointed out, if you were to restrict their access to %systemroot%  (effectively the C drive) they could not run the application.  If not restricting, they could easily get around and simple defenses in place.  

To add to that:
-as I mentioned, it is a licensing violation to use the server in this manner.
-domain controllers are optimized for running background applications and services, not for running applications, that is what terminal servers and application servers are for
-installations of applications on a domain controller have different permissions that on a PC, thus if you were to restrict the user, i.e. not an admin they may also not be able to run the application

The correct answer is as Donnk suggested to create a physical or virtual machine to run the Sage application.  If creating a VM on the SBS be very careful as any method such as Hyper-V that creates a virtual NIC will break SBS services such as DHCP.  Some VMware apps may work but are not officially supported on SBS.  In an ideal world you are best to buy a Server 2012 licenses which allows you to create a virtual host, virtualize your SBS and add a virtual Server 2012 as a terminal server.  Keep in mind accessing any machine remotely, other than a PC through remote web Access, also requires User and RDS CAL's.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 39684239
>>"but if you actually read the question Sage was put after i.e. which means for example. "

Matthew I am sorry but this looks like it was incomplete, or I don't understand what you are trying to say.  Glad to try to help further if we can, but seriously it is not possible to truly lock down as you wish and accessing to run applications on the server is a violation of the licensing agreement.

If you would like to explain further, I am glad to follow up.

However if complete donnk does deserve being awarded as the correct answer as he/she said it wasn't possible and suggested a good alternative.  I know the response is not what you were hoping for but Experts-Exchange used to have the following in their help/support pages, but I am unable to find in the revised version; "The correct answer to some questions is "You can't do that. Sometimes, you will get an answer that isn't what you want to read, but it still may be the correct answer, and you should award points to the Expert that gave you that answer."  http://www.experts-exchange.com/help.jsp
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 39687030
Then let me be yet another expert who has read the entire thread and says "you cannot do that."

I don't care if you've dome it with other versions of SBS in the past. I know people who have stolen cars in the past too. Doesn't make it legal.

SBS cannot legally be used for end user applications. Full stop. You can't LEGALLY do that, and you shouldn't do that, and if you want to break the law, you are way out of line telling others they missed the point or are wrong for refusing to help you break the law.

The RIGHT way to do this is to give the users client PCs that they can access via RWW, or to set up a second server to run remote desktop services (also known as terminal services) for end users.  That requires a server license *and* TS/RDS CALs. You can't freeload and try to get that  functionality on the cheap by breaking SBS licensing.

Even Microsoft documents this:

http://technet.microsoft.com/en-us/library/dd262139(v=WS.10).aspx
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39687195
In an effort to remain civil, you keep mentioning we did not read the question or ask the right questions.  Could you please advise what we are missing so that we may help you?  Are we not correct in believing:
 -You wish to access the SBS using remote desktop
 -You want to run a Sage application using the rdp session
 -You want to block access to the system files and all resources except the Sage application
 -You do not wish to pay any additional fees

Our answers have been based on those assumptions.  Please add any additional information we are missing so that we may better assist you.
0
 

Author Comment

by:grovenetsupport
ID: 39687285
I used sage as an example which i tried to explain as we have a need for a client who wants a remote staff member to access the active directory to manage users but no access to anything else
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39687309
That is quite a different 'kettle-of-fish'.  It would have been good to have the details.

You can't limit them completely but you can create a basic user (not a domain admin) and grant them delegation rights to control a particular OU in Active Directory.  By right clicking on the OU you will see an option "Delegate Control" which will start a Wizard that allows you to add and configure the user's rights.  However when doing so you would usually have the user access with the RSAT tools  (Remote Server Administration Tools) from a PC.  By allowing them to RDP directly to the server you loose most of the control.

You could use the SBS VPN client and they could run the RSAT tools from the remote PC, if you don't have a LAN PC they can use.

RSAT tools are specific to the O/S and even SP level.  Win7 SP1 can be found:
http://www.microsoft.com/en-ca/download/details.aspx?id=7887
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39687358
PS - I suspect some of the confusion comes from  (post ID: 39683343):
 i.e means "in other words"
 e.g means "for example"
0
 

Author Comment

by:grovenetsupport
ID: 39687417
My apoligies for getting upset but sometimes people start spouting off without asking the right questions. The first quy to respond hacked me off with his reply so again my apologies
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 39687452
I think everyone responded correctly based on the information that had been provided at that point.  There really were not a lot of specifics provided.   However perhaps the delegation control is more what you were looking for.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

In the event you manage a Small Business Server 2003, and you are audited for PCI compliance, there are several changes you must make in order to pass the audit. I can take no credit for discovering any of these fixes or workarounds, but there is no…
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
This video discusses moving either the default database or any database to a new volume.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now