Solved

Terminal services 2008r2

Posted on 2015-01-29
8
96 Views
Last Modified: 2015-02-02
I have installed terminal services on a 2008r2 box but when I connect I don't see a virgin desktop as I would expect but the server desktop giving me access to all the server functions.
Regardless of the users permissions should they always see a "Virtual PC" (sorry not sure what you would call it in TS)
The 2008r2 box isn't in a production environment so can mess about with it.
0
Comment
Question by:PHBSupport
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 9

Accepted Solution

by:
schmiegu earned 250 total points
ID: 40577434
That's absolutely normal. I'm not sure, what you mean with "Virtual PC", but I believe that is something you get with VDI (Remote Desktop Virtualization Host) , not with RD Session Host alone. RD Session Host always gives you the full Desktop and you have to configure security (and maybe Access Based Enumeration) to lock the server down. You may consider configuring a mandatory profile.
Another option could be to configure Remote Apps, so users never see the desktop.
0
 

Author Comment

by:PHBSupport
ID: 40577462
Thanks for the reply, I was under the impression that each user would have a totally separate "terminal" that could be set up uniquely for that user rather like a virtual PC, the main advantage being only having to run updates on one copy of a users apps i.e. Office.

I may have dug myself into a hole, as its a test environment AD and everything else is on one server therefore in a production environment TS would be on its own server so maybe this would give the result I'm looking for?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 250 total points
ID: 40577534
What you are seeing is normal in a fresh install. Ideally you would lock down the Terminal Server using Group Policy to remove access to all these various administrative areas.

There's plenty of guides out there but you can start off with this one (even though it's for 2003): http://support.microsoft.com/kb/278295
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 40577648
If you installed 2008 R2 then you're not using Terminal Services - you're using Remote Desktop Services.  (Yes, same thing, but terminology changed and referencing it properly is important - without the proper reference I don't know if you're using 2008 and mistakenly using the R2 designation (which still called it Terminal services) or 2008 R2 and are just mistakenly referencing the wrong name of the service.  The features and capabilities are increasing so knowing what you have is important.

Did you activate the role properly - Remote Administration allows 2 sessions and works basically the same way but would launch the server management tools, but with RDS properly activated, users get unique sessions (their own "terminal").
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:PHBSupport
ID: 40577682
Sorry cant get into the habit of calling it RDS! It is 2008R2 with the remote desktop services installed.
I think I was expecting each session to be a blank desktop and it is now apparent I need to lock the users down.
When we run it in a production environment there wont be a problem as it wont be on a DC just a member server.

Many thanks for all the reply's
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40578662
I may have dug myself into a hole, as its a test environment AD and everything else is on one server therefore in a production environment TS would be on its own server so maybe this would give the result I'm looking for?
I missed this bit in one of your replies.

That would be correct, if the server will have nothing but the RDS role installed on when it goes into production then the various management tools such as Active Directory Users and Computers, DNS, etc. will not be visible to the end users as these roles won't exist on the RD Session Host.
0
 
LVL 9

Expert Comment

by:schmiegu
ID: 40579141
It may depend on the organisation, but I always have only the RDS role installed (we use a farm with several servers) - and I remove users from the permissions on Administrative Tools (also from HP Management Tools and some others), so they have only access to their apps. A production RDS should have no other roles installed. And never make your DCs a RDS! Even in a test environment I prefer to use Hyper-V and have distinct server-VMs.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40579256
@schmiegu: I personally redirect the Start Menu to a network share, disable and remove the All Users Start Menu from the server (so users have a consistent Start Menu across all the servers), hide and restrict access to the system and CD drives, along with a number of other customizations.

Agree with the sentiment to not make a DC a RD Session Host. Microsoft officially do not recommend this either, however it is still possible to do if you have no choice: https://technet.microsoft.com/en-us/library/cc742817.aspx
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now