Terminal services 2008r2

Posted on 2015-01-29
Last Modified: 2015-02-02
I have installed terminal services on a 2008r2 box but when I connect I don't see a virgin desktop as I would expect but the server desktop giving me access to all the server functions.
Regardless of the users permissions should they always see a "Virtual PC" (sorry not sure what you would call it in TS)
The 2008r2 box isn't in a production environment so can mess about with it.
Question by:PHBSupport
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1

Accepted Solution

schmiegu earned 250 total points
ID: 40577434
That's absolutely normal. I'm not sure, what you mean with "Virtual PC", but I believe that is something you get with VDI (Remote Desktop Virtualization Host) , not with RD Session Host alone. RD Session Host always gives you the full Desktop and you have to configure security (and maybe Access Based Enumeration) to lock the server down. You may consider configuring a mandatory profile.
Another option could be to configure Remote Apps, so users never see the desktop.

Author Comment

ID: 40577462
Thanks for the reply, I was under the impression that each user would have a totally separate "terminal" that could be set up uniquely for that user rather like a virtual PC, the main advantage being only having to run updates on one copy of a users apps i.e. Office.

I may have dug myself into a hole, as its a test environment AD and everything else is on one server therefore in a production environment TS would be on its own server so maybe this would give the result I'm looking for?
LVL 24

Assisted Solution

VB ITS earned 250 total points
ID: 40577534
What you are seeing is normal in a fresh install. Ideally you would lock down the Terminal Server using Group Policy to remove access to all these various administrative areas.

There's plenty of guides out there but you can start off with this one (even though it's for 2003):
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 96

Expert Comment

by:Lee W, MVP
ID: 40577648
If you installed 2008 R2 then you're not using Terminal Services - you're using Remote Desktop Services.  (Yes, same thing, but terminology changed and referencing it properly is important - without the proper reference I don't know if you're using 2008 and mistakenly using the R2 designation (which still called it Terminal services) or 2008 R2 and are just mistakenly referencing the wrong name of the service.  The features and capabilities are increasing so knowing what you have is important.

Did you activate the role properly - Remote Administration allows 2 sessions and works basically the same way but would launch the server management tools, but with RDS properly activated, users get unique sessions (their own "terminal").

Author Comment

ID: 40577682
Sorry cant get into the habit of calling it RDS! It is 2008R2 with the remote desktop services installed.
I think I was expecting each session to be a blank desktop and it is now apparent I need to lock the users down.
When we run it in a production environment there wont be a problem as it wont be on a DC just a member server.

Many thanks for all the reply's
LVL 24

Expert Comment

ID: 40578662
I may have dug myself into a hole, as its a test environment AD and everything else is on one server therefore in a production environment TS would be on its own server so maybe this would give the result I'm looking for?
I missed this bit in one of your replies.

That would be correct, if the server will have nothing but the RDS role installed on when it goes into production then the various management tools such as Active Directory Users and Computers, DNS, etc. will not be visible to the end users as these roles won't exist on the RD Session Host.

Expert Comment

ID: 40579141
It may depend on the organisation, but I always have only the RDS role installed (we use a farm with several servers) - and I remove users from the permissions on Administrative Tools (also from HP Management Tools and some others), so they have only access to their apps. A production RDS should have no other roles installed. And never make your DCs a RDS! Even in a test environment I prefer to use Hyper-V and have distinct server-VMs.
LVL 24

Expert Comment

ID: 40579256
@schmiegu: I personally redirect the Start Menu to a network share, disable and remove the All Users Start Menu from the server (so users have a consistent Start Menu across all the servers), hide and restrict access to the system and CD drives, along with a number of other customizations.

Agree with the sentiment to not make a DC a RD Session Host. Microsoft officially do not recommend this either, however it is still possible to do if you have no choice:

Featured Post

Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question