• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 128
  • Last Modified:

Terminal services 2008r2

I have installed terminal services on a 2008r2 box but when I connect I don't see a virgin desktop as I would expect but the server desktop giving me access to all the server functions.
Regardless of the users permissions should they always see a "Virtual PC" (sorry not sure what you would call it in TS)
The 2008r2 box isn't in a production environment so can mess about with it.
0
PHBSupport
Asked:
PHBSupport
  • 3
  • 2
  • 2
  • +1
2 Solutions
 
schmieguCommented:
That's absolutely normal. I'm not sure, what you mean with "Virtual PC", but I believe that is something you get with VDI (Remote Desktop Virtualization Host) , not with RD Session Host alone. RD Session Host always gives you the full Desktop and you have to configure security (and maybe Access Based Enumeration) to lock the server down. You may consider configuring a mandatory profile.
Another option could be to configure Remote Apps, so users never see the desktop.
0
 
PHBSupportAuthor Commented:
Thanks for the reply, I was under the impression that each user would have a totally separate "terminal" that could be set up uniquely for that user rather like a virtual PC, the main advantage being only having to run updates on one copy of a users apps i.e. Office.

I may have dug myself into a hole, as its a test environment AD and everything else is on one server therefore in a production environment TS would be on its own server so maybe this would give the result I'm looking for?
0
 
VB ITSSpecialist ConsultantCommented:
What you are seeing is normal in a fresh install. Ideally you would lock down the Terminal Server using Group Policy to remove access to all these various administrative areas.

There's plenty of guides out there but you can start off with this one (even though it's for 2003): http://support.microsoft.com/kb/278295
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Lee W, MVPTechnology and Business Process AdvisorCommented:
If you installed 2008 R2 then you're not using Terminal Services - you're using Remote Desktop Services.  (Yes, same thing, but terminology changed and referencing it properly is important - without the proper reference I don't know if you're using 2008 and mistakenly using the R2 designation (which still called it Terminal services) or 2008 R2 and are just mistakenly referencing the wrong name of the service.  The features and capabilities are increasing so knowing what you have is important.

Did you activate the role properly - Remote Administration allows 2 sessions and works basically the same way but would launch the server management tools, but with RDS properly activated, users get unique sessions (their own "terminal").
0
 
PHBSupportAuthor Commented:
Sorry cant get into the habit of calling it RDS! It is 2008R2 with the remote desktop services installed.
I think I was expecting each session to be a blank desktop and it is now apparent I need to lock the users down.
When we run it in a production environment there wont be a problem as it wont be on a DC just a member server.

Many thanks for all the reply's
0
 
VB ITSSpecialist ConsultantCommented:
I may have dug myself into a hole, as its a test environment AD and everything else is on one server therefore in a production environment TS would be on its own server so maybe this would give the result I'm looking for?
I missed this bit in one of your replies.

That would be correct, if the server will have nothing but the RDS role installed on when it goes into production then the various management tools such as Active Directory Users and Computers, DNS, etc. will not be visible to the end users as these roles won't exist on the RD Session Host.
0
 
schmieguCommented:
It may depend on the organisation, but I always have only the RDS role installed (we use a farm with several servers) - and I remove users from the permissions on Administrative Tools (also from HP Management Tools and some others), so they have only access to their apps. A production RDS should have no other roles installed. And never make your DCs a RDS! Even in a test environment I prefer to use Hyper-V and have distinct server-VMs.
0
 
VB ITSSpecialist ConsultantCommented:
@schmiegu: I personally redirect the Start Menu to a network share, disable and remove the All Users Start Menu from the server (so users have a consistent Start Menu across all the servers), hide and restrict access to the system and CD drives, along with a number of other customizations.

Agree with the sentiment to not make a DC a RD Session Host. Microsoft officially do not recommend this either, however it is still possible to do if you have no choice: https://technet.microsoft.com/en-us/library/cc742817.aspx
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now