• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 241
  • Last Modified:

Manage users via group policy after the login to our RDS servers via ADFS

We are considering using ADFS to allow a number of our customers to login to our web application and our RDS pool.  If users login to our RDS servers via ADFS can we still manage these users via group policy?  We want to control session time-out, drive mappings, IE security settings, the look and feel of the desktop, etc.

Based on what I can find my personal feeling is this can not be done on a per person level as there is not actual account in my AD to apply these policies to.

Any assistance is greatly appreciated.

Thanks.
0
mwDev
Asked:
mwDev
  • 2
  • 2
1 Solution
 
Cliff GaliherCommented:
I think you may have misunderstood how ADFS works. Or I misunderstood your intended topology.

ADFS takes outside authentication requests that are not natively supported by ADDS (so SAML for example) and handles that. It basically extends the capabilities of ADDS so you can reach beyond the traditional boundaries of an AD organization.   As such, at its core, ADDS is still sitting behind ADFS and handling the final arbitration of the system. And that means AD accounts are there to authenticate against.  So yes, a user logging into an RDSH server may authenticate against ADFS, but the account is still an AD account and the RDSH server is still presumably joined to the domain. So once logged in, normal group policies will certainly still apply, and will behave as expected.  OUs, WMI filters, all still matter. Only the method of authentication is changing.

-Cliff
0
 
mwDevAuthor Commented:
Hi Cliff,

Thanks for the answer.  Just to be certain we are on the same page.

We host RDS and Web Servers that provide software to our customers.  We wish to allow these customers (there are many of them each of whom has their own different and distinct domain) to use their AD accounts to authenticate to our RDS and web applications using their local AD accounts.  So if we setup ADFS between our two organizations (they provide the authentication token and we accept it), and my servers are in my domain (us.local) and their accounts are in their domain (them.remote) do I have a way to set policies that would allow me to control the look and feel of the desktop, time-outs on RDS accounts, etc. from my end?  If it was accounts in my domain using someone else's server I would presume I would be able to control this functionality because I would have the AD accounts but my understanding of ADFS when we host the services to use is that I have nothing in my AD for that person.  We get a token that says I am person 'A' and I am from domain 'them.remote' and you trust my domain to say I am who I am.  As a result I will now use this web application or authenticate to this RDS server and use what it offers.

I hope this makes my side clearer.
0
 
Cliff GaliherCommented:
You simply won't get RDS to work the way you want. To log into an RDSH server, an account *must* exist. You can't simply accept am ADFS token and have TDS create some sort of anonymous login.

When you look at other commercial apps that support ADFS, you'll see that they still maintain a user account for each user. Such as O365 or Azure AD. *Only* the authentication portion happens over ADFS, and that is with a lot of glue. The account itself is still local (which is why O365, for example, supports ADFS w/ dirsync so new accounts get created as well.)

So, since there would be local accounts, yes, as I said GPOs would work. However it also sounds like you may not be prepared for the complexity of implementing ADFS on the hosting side, nor the very complex licensing implications that come along with it.
0
 
mwDevAuthor Commented:
H Cliff,

Thanks for the assistance.  The answer you provided is pretty close to what I had expected and just needed to clarify since I have never used ADFS.  Thanks for your answer and clarification.

Ron
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now