Remote desktop user control SBS 2011

Hi there, I want to setup the remote desktop users so they can only run one icon and have no access to the rest of the server?
grovenetsupportAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

donnkCommented:
do you mean you want them to control their PC remotely via a single desktop icon ?
grovenetsupportAuthor Commented:
No when they logon to the remote desktop they can only see and use one icon on the server i.e. Sage accounts and see nothing else
donnkCommented:
ok, so you are letting users logon to the actual server console using remote desktop ?

This is not a good idea for many reasons. RWW in SBS is designed for the user to remote control their own desktop, you can then lock this desktop down like are wanting to using GPO's.
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

grovenetsupportAuthor Commented:
I need as above as they don't have a PC for them to logon to. The RDP works fine I just want to lock them out to only use one program?
donnkCommented:
My advice would be to run a VM of windows 7 on the server using something like virtualbox or vm workstation, join it to the doman and let the user/s connect to that.

You are never going to be able to lock down the server to run sage as it will require access to the C drive to run which means the user will have full access as well. Very bad idea on many many levels. User accidentally shutting down the server for example instead of logging off.
grovenetsupportAuthor Commented:
This is the whole point of locking him out of everything bar logoff an one program this can be done so will wait for more advice. We have done it before on earlier versions of SBS
Rob WilliamsCommented:
You are also violating the SBS licensing agreement.  Remote access to the server is for management/administration of the server only.  Remote access to use the server to run applications is not allowed, nor is the server optimized for doing so, not to mention the security risks.
Rob WilliamsCommented:
Sometimes "you can't do that" is the correct answer.

You could create a user account that has only one icon on the desktop but as donnk has pointed out, if you were to restrict their access to %systemroot%  (effectively the C drive) they could not run the application.  If not restricting, they could easily get around and simple defenses in place.  

To add to that:
-as I mentioned, it is a licensing violation to use the server in this manner.
-domain controllers are optimized for running background applications and services, not for running applications, that is what terminal servers and application servers are for
-installations of applications on a domain controller have different permissions that on a PC, thus if you were to restrict the user, i.e. not an admin they may also not be able to run the application

The correct answer is as Donnk suggested to create a physical or virtual machine to run the Sage application.  If creating a VM on the SBS be very careful as any method such as Hyper-V that creates a virtual NIC will break SBS services such as DHCP.  Some VMware apps may work but are not officially supported on SBS.  In an ideal world you are best to buy a Server 2012 licenses which allows you to create a virtual host, virtualize your SBS and add a virtual Server 2012 as a terminal server.  Keep in mind accessing any machine remotely, other than a PC through remote web Access, also requires User and RDS CAL's.
Rob WilliamsCommented:
>>"but if you actually read the question Sage was put after i.e. which means for example. "

Matthew I am sorry but this looks like it was incomplete, or I don't understand what you are trying to say.  Glad to try to help further if we can, but seriously it is not possible to truly lock down as you wish and accessing to run applications on the server is a violation of the licensing agreement.

If you would like to explain further, I am glad to follow up.

However if complete donnk does deserve being awarded as the correct answer as he/she said it wasn't possible and suggested a good alternative.  I know the response is not what you were hoping for but Experts-Exchange used to have the following in their help/support pages, but I am unable to find in the revised version; "The correct answer to some questions is "You can't do that. Sometimes, you will get an answer that isn't what you want to read, but it still may be the correct answer, and you should award points to the Expert that gave you that answer."  http://www.experts-exchange.com/help.jsp
Cliff GaliherCommented:
Then let me be yet another expert who has read the entire thread and says "you cannot do that."

I don't care if you've dome it with other versions of SBS in the past. I know people who have stolen cars in the past too. Doesn't make it legal.

SBS cannot legally be used for end user applications. Full stop. You can't LEGALLY do that, and you shouldn't do that, and if you want to break the law, you are way out of line telling others they missed the point or are wrong for refusing to help you break the law.

The RIGHT way to do this is to give the users client PCs that they can access via RWW, or to set up a second server to run remote desktop services (also known as terminal services) for end users.  That requires a server license *and* TS/RDS CALs. You can't freeload and try to get that  functionality on the cheap by breaking SBS licensing.

Even Microsoft documents this:

http://technet.microsoft.com/en-us/library/dd262139(v=WS.10).aspx
Rob WilliamsCommented:
In an effort to remain civil, you keep mentioning we did not read the question or ask the right questions.  Could you please advise what we are missing so that we may help you?  Are we not correct in believing:
 -You wish to access the SBS using remote desktop
 -You want to run a Sage application using the rdp session
 -You want to block access to the system files and all resources except the Sage application
 -You do not wish to pay any additional fees

Our answers have been based on those assumptions.  Please add any additional information we are missing so that we may better assist you.
grovenetsupportAuthor Commented:
I used sage as an example which i tried to explain as we have a need for a client who wants a remote staff member to access the active directory to manage users but no access to anything else
Rob WilliamsCommented:
That is quite a different 'kettle-of-fish'.  It would have been good to have the details.

You can't limit them completely but you can create a basic user (not a domain admin) and grant them delegation rights to control a particular OU in Active Directory.  By right clicking on the OU you will see an option "Delegate Control" which will start a Wizard that allows you to add and configure the user's rights.  However when doing so you would usually have the user access with the RSAT tools  (Remote Server Administration Tools) from a PC.  By allowing them to RDP directly to the server you loose most of the control.

You could use the SBS VPN client and they could run the RSAT tools from the remote PC, if you don't have a LAN PC they can use.

RSAT tools are specific to the O/S and even SP level.  Win7 SP1 can be found:
http://www.microsoft.com/en-ca/download/details.aspx?id=7887
Rob WilliamsCommented:
PS - I suspect some of the confusion comes from  (post ID: 39683343):
 i.e means "in other words"
 e.g means "for example"
grovenetsupportAuthor Commented:
My apoligies for getting upset but sometimes people start spouting off without asking the right questions. The first quy to respond hacked me off with his reply so again my apologies
Rob WilliamsCommented:
I think everyone responded correctly based on the information that had been provided at that point.  There really were not a lot of specifics provided.   However perhaps the delegation control is more what you were looking for.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.