Solved

Terminal services 2008r2

Posted on 2015-01-29
8
113 Views
Last Modified: 2015-02-02
I have installed terminal services on a 2008r2 box but when I connect I don't see a virgin desktop as I would expect but the server desktop giving me access to all the server functions.
Regardless of the users permissions should they always see a "Virtual PC" (sorry not sure what you would call it in TS)
The 2008r2 box isn't in a production environment so can mess about with it.
0
Comment
Question by:PHBSupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 9

Accepted Solution

by:
schmiegu earned 250 total points
ID: 40577434
That's absolutely normal. I'm not sure, what you mean with "Virtual PC", but I believe that is something you get with VDI (Remote Desktop Virtualization Host) , not with RD Session Host alone. RD Session Host always gives you the full Desktop and you have to configure security (and maybe Access Based Enumeration) to lock the server down. You may consider configuring a mandatory profile.
Another option could be to configure Remote Apps, so users never see the desktop.
0
 

Author Comment

by:PHBSupport
ID: 40577462
Thanks for the reply, I was under the impression that each user would have a totally separate "terminal" that could be set up uniquely for that user rather like a virtual PC, the main advantage being only having to run updates on one copy of a users apps i.e. Office.

I may have dug myself into a hole, as its a test environment AD and everything else is on one server therefore in a production environment TS would be on its own server so maybe this would give the result I'm looking for?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 250 total points
ID: 40577534
What you are seeing is normal in a fresh install. Ideally you would lock down the Terminal Server using Group Policy to remove access to all these various administrative areas.

There's plenty of guides out there but you can start off with this one (even though it's for 2003): http://support.microsoft.com/kb/278295
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 40577648
If you installed 2008 R2 then you're not using Terminal Services - you're using Remote Desktop Services.  (Yes, same thing, but terminology changed and referencing it properly is important - without the proper reference I don't know if you're using 2008 and mistakenly using the R2 designation (which still called it Terminal services) or 2008 R2 and are just mistakenly referencing the wrong name of the service.  The features and capabilities are increasing so knowing what you have is important.

Did you activate the role properly - Remote Administration allows 2 sessions and works basically the same way but would launch the server management tools, but with RDS properly activated, users get unique sessions (their own "terminal").
0
 

Author Comment

by:PHBSupport
ID: 40577682
Sorry cant get into the habit of calling it RDS! It is 2008R2 with the remote desktop services installed.
I think I was expecting each session to be a blank desktop and it is now apparent I need to lock the users down.
When we run it in a production environment there wont be a problem as it wont be on a DC just a member server.

Many thanks for all the reply's
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40578662
I may have dug myself into a hole, as its a test environment AD and everything else is on one server therefore in a production environment TS would be on its own server so maybe this would give the result I'm looking for?
I missed this bit in one of your replies.

That would be correct, if the server will have nothing but the RDS role installed on when it goes into production then the various management tools such as Active Directory Users and Computers, DNS, etc. will not be visible to the end users as these roles won't exist on the RD Session Host.
0
 
LVL 9

Expert Comment

by:schmiegu
ID: 40579141
It may depend on the organisation, but I always have only the RDS role installed (we use a farm with several servers) - and I remove users from the permissions on Administrative Tools (also from HP Management Tools and some others), so they have only access to their apps. A production RDS should have no other roles installed. And never make your DCs a RDS! Even in a test environment I prefer to use Hyper-V and have distinct server-VMs.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40579256
@schmiegu: I personally redirect the Start Menu to a network share, disable and remove the All Users Start Menu from the server (so users have a consistent Start Menu across all the servers), hide and restrict access to the system and CD drives, along with a number of other customizations.

Agree with the sentiment to not make a DC a RD Session Host. Microsoft officially do not recommend this either, however it is still possible to do if you have no choice: https://technet.microsoft.com/en-us/library/cc742817.aspx
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question