Solved

Remote desktop user control SBS 2011

Posted on 2013-11-27
17
497 Views
Last Modified: 2014-01-09
Hi there, I want to setup the remote desktop users so they can only run one icon and have no access to the rest of the server?
0
Comment
Question by:grovenetsupport
  • 7
  • 5
  • 3
  • +1
17 Comments
 
LVL 6

Expert Comment

by:donnk
ID: 39680515
do you mean you want them to control their PC remotely via a single desktop icon ?
0
 

Author Comment

by:grovenetsupport
ID: 39680520
No when they logon to the remote desktop they can only see and use one icon on the server i.e. Sage accounts and see nothing else
0
 
LVL 6

Expert Comment

by:donnk
ID: 39680527
ok, so you are letting users logon to the actual server console using remote desktop ?

This is not a good idea for many reasons. RWW in SBS is designed for the user to remote control their own desktop, you can then lock this desktop down like are wanting to using GPO's.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:grovenetsupport
ID: 39680539
I need as above as they don't have a PC for them to logon to. The RDP works fine I just want to lock them out to only use one program?
0
 
LVL 6

Expert Comment

by:donnk
ID: 39680545
My advice would be to run a VM of windows 7 on the server using something like virtualbox or vm workstation, join it to the doman and let the user/s connect to that.

You are never going to be able to lock down the server to run sage as it will require access to the C drive to run which means the user will have full access as well. Very bad idea on many many levels. User accidentally shutting down the server for example instead of logging off.
0
 

Author Comment

by:grovenetsupport
ID: 39680553
This is the whole point of locking him out of everything bar logoff an one program this can be done so will wait for more advice. We have done it before on earlier versions of SBS
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39682032
You are also violating the SBS licensing agreement.  Remote access to the server is for management/administration of the server only.  Remote access to use the server to run applications is not allowed, nor is the server optimized for doing so, not to mention the security risks.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39682126
Sometimes "you can't do that" is the correct answer.

You could create a user account that has only one icon on the desktop but as donnk has pointed out, if you were to restrict their access to %systemroot%  (effectively the C drive) they could not run the application.  If not restricting, they could easily get around and simple defenses in place.  

To add to that:
-as I mentioned, it is a licensing violation to use the server in this manner.
-domain controllers are optimized for running background applications and services, not for running applications, that is what terminal servers and application servers are for
-installations of applications on a domain controller have different permissions that on a PC, thus if you were to restrict the user, i.e. not an admin they may also not be able to run the application

The correct answer is as Donnk suggested to create a physical or virtual machine to run the Sage application.  If creating a VM on the SBS be very careful as any method such as Hyper-V that creates a virtual NIC will break SBS services such as DHCP.  Some VMware apps may work but are not officially supported on SBS.  In an ideal world you are best to buy a Server 2012 licenses which allows you to create a virtual host, virtualize your SBS and add a virtual Server 2012 as a terminal server.  Keep in mind accessing any machine remotely, other than a PC through remote web Access, also requires User and RDS CAL's.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39684239
>>"but if you actually read the question Sage was put after i.e. which means for example. "

Matthew I am sorry but this looks like it was incomplete, or I don't understand what you are trying to say.  Glad to try to help further if we can, but seriously it is not possible to truly lock down as you wish and accessing to run applications on the server is a violation of the licensing agreement.

If you would like to explain further, I am glad to follow up.

However if complete donnk does deserve being awarded as the correct answer as he/she said it wasn't possible and suggested a good alternative.  I know the response is not what you were hoping for but Experts-Exchange used to have the following in their help/support pages, but I am unable to find in the revised version; "The correct answer to some questions is "You can't do that. Sometimes, you will get an answer that isn't what you want to read, but it still may be the correct answer, and you should award points to the Expert that gave you that answer."  http://www.experts-exchange.com/help.jsp
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 39687030
Then let me be yet another expert who has read the entire thread and says "you cannot do that."

I don't care if you've dome it with other versions of SBS in the past. I know people who have stolen cars in the past too. Doesn't make it legal.

SBS cannot legally be used for end user applications. Full stop. You can't LEGALLY do that, and you shouldn't do that, and if you want to break the law, you are way out of line telling others they missed the point or are wrong for refusing to help you break the law.

The RIGHT way to do this is to give the users client PCs that they can access via RWW, or to set up a second server to run remote desktop services (also known as terminal services) for end users.  That requires a server license *and* TS/RDS CALs. You can't freeload and try to get that  functionality on the cheap by breaking SBS licensing.

Even Microsoft documents this:

http://technet.microsoft.com/en-us/library/dd262139(v=WS.10).aspx
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39687195
In an effort to remain civil, you keep mentioning we did not read the question or ask the right questions.  Could you please advise what we are missing so that we may help you?  Are we not correct in believing:
 -You wish to access the SBS using remote desktop
 -You want to run a Sage application using the rdp session
 -You want to block access to the system files and all resources except the Sage application
 -You do not wish to pay any additional fees

Our answers have been based on those assumptions.  Please add any additional information we are missing so that we may better assist you.
0
 

Author Comment

by:grovenetsupport
ID: 39687285
I used sage as an example which i tried to explain as we have a need for a client who wants a remote staff member to access the active directory to manage users but no access to anything else
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39687309
That is quite a different 'kettle-of-fish'.  It would have been good to have the details.

You can't limit them completely but you can create a basic user (not a domain admin) and grant them delegation rights to control a particular OU in Active Directory.  By right clicking on the OU you will see an option "Delegate Control" which will start a Wizard that allows you to add and configure the user's rights.  However when doing so you would usually have the user access with the RSAT tools  (Remote Server Administration Tools) from a PC.  By allowing them to RDP directly to the server you loose most of the control.

You could use the SBS VPN client and they could run the RSAT tools from the remote PC, if you don't have a LAN PC they can use.

RSAT tools are specific to the O/S and even SP level.  Win7 SP1 can be found:
http://www.microsoft.com/en-ca/download/details.aspx?id=7887
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39687358
PS - I suspect some of the confusion comes from  (post ID: 39683343):
 i.e means "in other words"
 e.g means "for example"
0
 

Author Comment

by:grovenetsupport
ID: 39687417
My apoligies for getting upset but sometimes people start spouting off without asking the right questions. The first quy to respond hacked me off with his reply so again my apologies
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 39687452
I think everyone responded correctly based on the information that had been provided at that point.  There really were not a lot of specifics provided.   However perhaps the delegation control is more what you were looking for.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question