Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Manage users via group policy after the login to our RDS servers via ADFS

Posted on 2015-01-22
4
Medium Priority
?
212 Views
Last Modified: 2015-01-25
We are considering using ADFS to allow a number of our customers to login to our web application and our RDS pool.  If users login to our RDS servers via ADFS can we still manage these users via group policy?  We want to control session time-out, drive mappings, IE security settings, the look and feel of the desktop, etc.

Based on what I can find my personal feeling is this can not be done on a per person level as there is not actual account in my AD to apply these policies to.

Any assistance is greatly appreciated.

Thanks.
0
Comment
Question by:mwDev
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 40565448
I think you may have misunderstood how ADFS works. Or I misunderstood your intended topology.

ADFS takes outside authentication requests that are not natively supported by ADDS (so SAML for example) and handles that. It basically extends the capabilities of ADDS so you can reach beyond the traditional boundaries of an AD organization.   As such, at its core, ADDS is still sitting behind ADFS and handling the final arbitration of the system. And that means AD accounts are there to authenticate against.  So yes, a user logging into an RDSH server may authenticate against ADFS, but the account is still an AD account and the RDSH server is still presumably joined to the domain. So once logged in, normal group policies will certainly still apply, and will behave as expected.  OUs, WMI filters, all still matter. Only the method of authentication is changing.

-Cliff
0
 

Author Comment

by:mwDev
ID: 40566954
Hi Cliff,

Thanks for the answer.  Just to be certain we are on the same page.

We host RDS and Web Servers that provide software to our customers.  We wish to allow these customers (there are many of them each of whom has their own different and distinct domain) to use their AD accounts to authenticate to our RDS and web applications using their local AD accounts.  So if we setup ADFS between our two organizations (they provide the authentication token and we accept it), and my servers are in my domain (us.local) and their accounts are in their domain (them.remote) do I have a way to set policies that would allow me to control the look and feel of the desktop, time-outs on RDS accounts, etc. from my end?  If it was accounts in my domain using someone else's server I would presume I would be able to control this functionality because I would have the AD accounts but my understanding of ADFS when we host the services to use is that I have nothing in my AD for that person.  We get a token that says I am person 'A' and I am from domain 'them.remote' and you trust my domain to say I am who I am.  As a result I will now use this web application or authenticate to this RDS server and use what it offers.

I hope this makes my side clearer.
0
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 40567136
You simply won't get RDS to work the way you want. To log into an RDSH server, an account *must* exist. You can't simply accept am ADFS token and have TDS create some sort of anonymous login.

When you look at other commercial apps that support ADFS, you'll see that they still maintain a user account for each user. Such as O365 or Azure AD. *Only* the authentication portion happens over ADFS, and that is with a lot of glue. The account itself is still local (which is why O365, for example, supports ADFS w/ dirsync so new accounts get created as well.)

So, since there would be local accounts, yes, as I said GPOs would work. However it also sounds like you may not be prepared for the complexity of implementing ADFS on the hosting side, nor the very complex licensing implications that come along with it.
0
 

Author Closing Comment

by:mwDev
ID: 40569893
H Cliff,

Thanks for the assistance.  The answer you provided is pretty close to what I had expected and just needed to clarify since I have never used ADFS.  Thanks for your answer and clarification.

Ron
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question