grovenetsupport
asked on
Remote desktop user control SBS 2011
Hi there, I want to setup the remote desktop users so they can only run one icon and have no access to the rest of the server?
do you mean you want them to control their PC remotely via a single desktop icon ?
ASKER
No when they logon to the remote desktop they can only see and use one icon on the server i.e. Sage accounts and see nothing else
ok, so you are letting users logon to the actual server console using remote desktop ?
This is not a good idea for many reasons. RWW in SBS is designed for the user to remote control their own desktop, you can then lock this desktop down like are wanting to using GPO's.
This is not a good idea for many reasons. RWW in SBS is designed for the user to remote control their own desktop, you can then lock this desktop down like are wanting to using GPO's.
ASKER
I need as above as they don't have a PC for them to logon to. The RDP works fine I just want to lock them out to only use one program?
My advice would be to run a VM of windows 7 on the server using something like virtualbox or vm workstation, join it to the doman and let the user/s connect to that.
You are never going to be able to lock down the server to run sage as it will require access to the C drive to run which means the user will have full access as well. Very bad idea on many many levels. User accidentally shutting down the server for example instead of logging off.
You are never going to be able to lock down the server to run sage as it will require access to the C drive to run which means the user will have full access as well. Very bad idea on many many levels. User accidentally shutting down the server for example instead of logging off.
ASKER
This is the whole point of locking him out of everything bar logoff an one program this can be done so will wait for more advice. We have done it before on earlier versions of SBS
You are also violating the SBS licensing agreement. Remote access to the server is for management/administration of the server only. Remote access to use the server to run applications is not allowed, nor is the server optimized for doing so, not to mention the security risks.
Sometimes "you can't do that" is the correct answer.
You could create a user account that has only one icon on the desktop but as donnk has pointed out, if you were to restrict their access to %systemroot% (effectively the C drive) they could not run the application. If not restricting, they could easily get around and simple defenses in place.
To add to that:
-as I mentioned, it is a licensing violation to use the server in this manner.
-domain controllers are optimized for running background applications and services, not for running applications, that is what terminal servers and application servers are for
-installations of applications on a domain controller have different permissions that on a PC, thus if you were to restrict the user, i.e. not an admin they may also not be able to run the application
The correct answer is as Donnk suggested to create a physical or virtual machine to run the Sage application. If creating a VM on the SBS be very careful as any method such as Hyper-V that creates a virtual NIC will break SBS services such as DHCP. Some VMware apps may work but are not officially supported on SBS. In an ideal world you are best to buy a Server 2012 licenses which allows you to create a virtual host, virtualize your SBS and add a virtual Server 2012 as a terminal server. Keep in mind accessing any machine remotely, other than a PC through remote web Access, also requires User and RDS CAL's.
You could create a user account that has only one icon on the desktop but as donnk has pointed out, if you were to restrict their access to %systemroot% (effectively the C drive) they could not run the application. If not restricting, they could easily get around and simple defenses in place.
To add to that:
-as I mentioned, it is a licensing violation to use the server in this manner.
-domain controllers are optimized for running background applications and services, not for running applications, that is what terminal servers and application servers are for
-installations of applications on a domain controller have different permissions that on a PC, thus if you were to restrict the user, i.e. not an admin they may also not be able to run the application
The correct answer is as Donnk suggested to create a physical or virtual machine to run the Sage application. If creating a VM on the SBS be very careful as any method such as Hyper-V that creates a virtual NIC will break SBS services such as DHCP. Some VMware apps may work but are not officially supported on SBS. In an ideal world you are best to buy a Server 2012 licenses which allows you to create a virtual host, virtualize your SBS and add a virtual Server 2012 as a terminal server. Keep in mind accessing any machine remotely, other than a PC through remote web Access, also requires User and RDS CAL's.
>>"but if you actually read the question Sage was put after i.e. which means for example. "
Matthew I am sorry but this looks like it was incomplete, or I don't understand what you are trying to say. Glad to try to help further if we can, but seriously it is not possible to truly lock down as you wish and accessing to run applications on the server is a violation of the licensing agreement.
If you would like to explain further, I am glad to follow up.
However if complete donnk does deserve being awarded as the correct answer as he/she said it wasn't possible and suggested a good alternative. I know the response is not what you were hoping for but Experts-Exchange used to have the following in their help/support pages, but I am unable to find in the revised version; "The correct answer to some questions is "You can't do that. Sometimes, you will get an answer that isn't what you want to read, but it still may be the correct answer, and you should award points to the Expert that gave you that answer." https://www.experts-exchange.com/help.jsp
Matthew I am sorry but this looks like it was incomplete, or I don't understand what you are trying to say. Glad to try to help further if we can, but seriously it is not possible to truly lock down as you wish and accessing to run applications on the server is a violation of the licensing agreement.
If you would like to explain further, I am glad to follow up.
However if complete donnk does deserve being awarded as the correct answer as he/she said it wasn't possible and suggested a good alternative. I know the response is not what you were hoping for but Experts-Exchange used to have the following in their help/support pages, but I am unable to find in the revised version; "The correct answer to some questions is "You can't do that. Sometimes, you will get an answer that isn't what you want to read, but it still may be the correct answer, and you should award points to the Expert that gave you that answer." https://www.experts-exchange.com/help.jsp
Then let me be yet another expert who has read the entire thread and says "you cannot do that."
I don't care if you've dome it with other versions of SBS in the past. I know people who have stolen cars in the past too. Doesn't make it legal.
SBS cannot legally be used for end user applications. Full stop. You can't LEGALLY do that, and you shouldn't do that, and if you want to break the law, you are way out of line telling others they missed the point or are wrong for refusing to help you break the law.
The RIGHT way to do this is to give the users client PCs that they can access via RWW, or to set up a second server to run remote desktop services (also known as terminal services) for end users. That requires a server license *and* TS/RDS CALs. You can't freeload and try to get that functionality on the cheap by breaking SBS licensing.
Even Microsoft documents this:
http://technet.microsoft.com/en-us/library/dd262139(v=WS.10).aspx
I don't care if you've dome it with other versions of SBS in the past. I know people who have stolen cars in the past too. Doesn't make it legal.
SBS cannot legally be used for end user applications. Full stop. You can't LEGALLY do that, and you shouldn't do that, and if you want to break the law, you are way out of line telling others they missed the point or are wrong for refusing to help you break the law.
The RIGHT way to do this is to give the users client PCs that they can access via RWW, or to set up a second server to run remote desktop services (also known as terminal services) for end users. That requires a server license *and* TS/RDS CALs. You can't freeload and try to get that functionality on the cheap by breaking SBS licensing.
Even Microsoft documents this:
http://technet.microsoft.com/en-us/library/dd262139(v=WS.10).aspx
In an effort to remain civil, you keep mentioning we did not read the question or ask the right questions. Could you please advise what we are missing so that we may help you? Are we not correct in believing:
-You wish to access the SBS using remote desktop
-You want to run a Sage application using the rdp session
-You want to block access to the system files and all resources except the Sage application
-You do not wish to pay any additional fees
Our answers have been based on those assumptions. Please add any additional information we are missing so that we may better assist you.
-You wish to access the SBS using remote desktop
-You want to run a Sage application using the rdp session
-You want to block access to the system files and all resources except the Sage application
-You do not wish to pay any additional fees
Our answers have been based on those assumptions. Please add any additional information we are missing so that we may better assist you.
ASKER
I used sage as an example which i tried to explain as we have a need for a client who wants a remote staff member to access the active directory to manage users but no access to anything else
That is quite a different 'kettle-of-fish'. It would have been good to have the details.
You can't limit them completely but you can create a basic user (not a domain admin) and grant them delegation rights to control a particular OU in Active Directory. By right clicking on the OU you will see an option "Delegate Control" which will start a Wizard that allows you to add and configure the user's rights. However when doing so you would usually have the user access with the RSAT tools (Remote Server Administration Tools) from a PC. By allowing them to RDP directly to the server you loose most of the control.
You could use the SBS VPN client and they could run the RSAT tools from the remote PC, if you don't have a LAN PC they can use.
RSAT tools are specific to the O/S and even SP level. Win7 SP1 can be found:
http://www.microsoft.com/en-ca/download/details.aspx?id=7887
You can't limit them completely but you can create a basic user (not a domain admin) and grant them delegation rights to control a particular OU in Active Directory. By right clicking on the OU you will see an option "Delegate Control" which will start a Wizard that allows you to add and configure the user's rights. However when doing so you would usually have the user access with the RSAT tools (Remote Server Administration Tools) from a PC. By allowing them to RDP directly to the server you loose most of the control.
You could use the SBS VPN client and they could run the RSAT tools from the remote PC, if you don't have a LAN PC they can use.
RSAT tools are specific to the O/S and even SP level. Win7 SP1 can be found:
http://www.microsoft.com/en-ca/download/details.aspx?id=7887
PS - I suspect some of the confusion comes from (post ID: 39683343):
i.e means "in other words"
e.g means "for example"
i.e means "in other words"
e.g means "for example"
ASKER
My apoligies for getting upset but sometimes people start spouting off without asking the right questions. The first quy to respond hacked me off with his reply so again my apologies
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.