Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Terminal services 2008r2

Posted on 2015-01-29
8
Medium Priority
?
119 Views
Last Modified: 2015-02-02
I have installed terminal services on a 2008r2 box but when I connect I don't see a virgin desktop as I would expect but the server desktop giving me access to all the server functions.
Regardless of the users permissions should they always see a "Virtual PC" (sorry not sure what you would call it in TS)
The 2008r2 box isn't in a production environment so can mess about with it.
0
Comment
Question by:PHBSupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 9

Accepted Solution

by:
schmiegu earned 1000 total points
ID: 40577434
That's absolutely normal. I'm not sure, what you mean with "Virtual PC", but I believe that is something you get with VDI (Remote Desktop Virtualization Host) , not with RD Session Host alone. RD Session Host always gives you the full Desktop and you have to configure security (and maybe Access Based Enumeration) to lock the server down. You may consider configuring a mandatory profile.
Another option could be to configure Remote Apps, so users never see the desktop.
0
 

Author Comment

by:PHBSupport
ID: 40577462
Thanks for the reply, I was under the impression that each user would have a totally separate "terminal" that could be set up uniquely for that user rather like a virtual PC, the main advantage being only having to run updates on one copy of a users apps i.e. Office.

I may have dug myself into a hole, as its a test environment AD and everything else is on one server therefore in a production environment TS would be on its own server so maybe this would give the result I'm looking for?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 1000 total points
ID: 40577534
What you are seeing is normal in a fresh install. Ideally you would lock down the Terminal Server using Group Policy to remove access to all these various administrative areas.

There's plenty of guides out there but you can start off with this one (even though it's for 2003): http://support.microsoft.com/kb/278295
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 40577648
If you installed 2008 R2 then you're not using Terminal Services - you're using Remote Desktop Services.  (Yes, same thing, but terminology changed and referencing it properly is important - without the proper reference I don't know if you're using 2008 and mistakenly using the R2 designation (which still called it Terminal services) or 2008 R2 and are just mistakenly referencing the wrong name of the service.  The features and capabilities are increasing so knowing what you have is important.

Did you activate the role properly - Remote Administration allows 2 sessions and works basically the same way but would launch the server management tools, but with RDS properly activated, users get unique sessions (their own "terminal").
0
 

Author Comment

by:PHBSupport
ID: 40577682
Sorry cant get into the habit of calling it RDS! It is 2008R2 with the remote desktop services installed.
I think I was expecting each session to be a blank desktop and it is now apparent I need to lock the users down.
When we run it in a production environment there wont be a problem as it wont be on a DC just a member server.

Many thanks for all the reply's
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40578662
I may have dug myself into a hole, as its a test environment AD and everything else is on one server therefore in a production environment TS would be on its own server so maybe this would give the result I'm looking for?
I missed this bit in one of your replies.

That would be correct, if the server will have nothing but the RDS role installed on when it goes into production then the various management tools such as Active Directory Users and Computers, DNS, etc. will not be visible to the end users as these roles won't exist on the RD Session Host.
0
 
LVL 9

Expert Comment

by:schmiegu
ID: 40579141
It may depend on the organisation, but I always have only the RDS role installed (we use a farm with several servers) - and I remove users from the permissions on Administrative Tools (also from HP Management Tools and some others), so they have only access to their apps. A production RDS should have no other roles installed. And never make your DCs a RDS! Even in a test environment I prefer to use Hyper-V and have distinct server-VMs.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40579256
@schmiegu: I personally redirect the Start Menu to a network share, disable and remove the All Users Start Menu from the server (so users have a consistent Start Menu across all the servers), hide and restrict access to the system and CD drives, along with a number of other customizations.

Agree with the sentiment to not make a DC a RD Session Host. Microsoft officially do not recommend this either, however it is still possible to do if you have no choice: https://technet.microsoft.com/en-us/library/cc742817.aspx
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question