Solved

Manage users via group policy after the login to our RDS servers via ADFS

Posted on 2015-01-22
4
200 Views
Last Modified: 2015-01-25
We are considering using ADFS to allow a number of our customers to login to our web application and our RDS pool.  If users login to our RDS servers via ADFS can we still manage these users via group policy?  We want to control session time-out, drive mappings, IE security settings, the look and feel of the desktop, etc.

Based on what I can find my personal feeling is this can not be done on a per person level as there is not actual account in my AD to apply these policies to.

Any assistance is greatly appreciated.

Thanks.
0
Comment
Question by:mwDev
  • 2
  • 2
4 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40565448
I think you may have misunderstood how ADFS works. Or I misunderstood your intended topology.

ADFS takes outside authentication requests that are not natively supported by ADDS (so SAML for example) and handles that. It basically extends the capabilities of ADDS so you can reach beyond the traditional boundaries of an AD organization.   As such, at its core, ADDS is still sitting behind ADFS and handling the final arbitration of the system. And that means AD accounts are there to authenticate against.  So yes, a user logging into an RDSH server may authenticate against ADFS, but the account is still an AD account and the RDSH server is still presumably joined to the domain. So once logged in, normal group policies will certainly still apply, and will behave as expected.  OUs, WMI filters, all still matter. Only the method of authentication is changing.

-Cliff
0
 

Author Comment

by:mwDev
ID: 40566954
Hi Cliff,

Thanks for the answer.  Just to be certain we are on the same page.

We host RDS and Web Servers that provide software to our customers.  We wish to allow these customers (there are many of them each of whom has their own different and distinct domain) to use their AD accounts to authenticate to our RDS and web applications using their local AD accounts.  So if we setup ADFS between our two organizations (they provide the authentication token and we accept it), and my servers are in my domain (us.local) and their accounts are in their domain (them.remote) do I have a way to set policies that would allow me to control the look and feel of the desktop, time-outs on RDS accounts, etc. from my end?  If it was accounts in my domain using someone else's server I would presume I would be able to control this functionality because I would have the AD accounts but my understanding of ADFS when we host the services to use is that I have nothing in my AD for that person.  We get a token that says I am person 'A' and I am from domain 'them.remote' and you trust my domain to say I am who I am.  As a result I will now use this web application or authenticate to this RDS server and use what it offers.

I hope this makes my side clearer.
0
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40567136
You simply won't get RDS to work the way you want. To log into an RDSH server, an account *must* exist. You can't simply accept am ADFS token and have TDS create some sort of anonymous login.

When you look at other commercial apps that support ADFS, you'll see that they still maintain a user account for each user. Such as O365 or Azure AD. *Only* the authentication portion happens over ADFS, and that is with a lot of glue. The account itself is still local (which is why O365, for example, supports ADFS w/ dirsync so new accounts get created as well.)

So, since there would be local accounts, yes, as I said GPOs would work. However it also sounds like you may not be prepared for the complexity of implementing ADFS on the hosting side, nor the very complex licensing implications that come along with it.
0
 

Author Closing Comment

by:mwDev
ID: 40569893
H Cliff,

Thanks for the assistance.  The answer you provided is pretty close to what I had expected and just needed to clarify since I have never used ADFS.  Thanks for your answer and clarification.

Ron
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question