Link to home
Start Free TrialLog in
Avatar of Damian
DamianFlag for Australia

asked on

Creating a fool proof Remote Desktop Environment on SBS 2008 R2

Hey people,

I am pondering a good method to limit users Remote Desktop environments, without restricting their local desktop environments.  For example 1 particular standard user: John, logs into his Windows desktop PC, can send email, can edit his control panel preferences, open Word, Excel etc, but then logs into the Remote Desktop Server and can only open MYOB... no access, to start menu, control panel or doing anything silly... like shutdown the server.

I've seen this before, from what I gathered.. it could have been achieved with a bit of Group Policy workmanship, if I am not mistaken.

Remote Desktop is running on Windows SBS 2008 R2. Clients are Windows 7.
Avatar of Mal Osborne
Mal Osborne
Flag of Australia image

Probably best to have a dedicated terminal server to do this. Running a DC as a TS box is not good idea, even in the SBS world.

If just want users to use MYOB, then it might be best to publish this as a remote app.

https://social.technet.microsoft.com/wiki/contents/articles/2345.publish-a-remoteapp-application-on-remote-desktop-service.aspx
It's called server hardening

https://www.newnettechnologies.com/server-hardening-policy.html#operating-system-configuration

There are loads of websites, via google. However, I'd set up a group policy, apply it to your user OU and then lock it down from there.

Cheers
Avatar of Damian

ASKER

Thanks Alex Green,

So I guess my question then becomes how do you prevent affecting the users local computer (domain-joined) profile, so their local profile doesn't succumb to the same stringent Remote Desktop policy?
SOLUTION
Avatar of Alex
Alex
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Damian

ASKER

Thanks Alex,

I actually wanted to keep Remote Desktop Users, as default, to allow a full experience for administrators RD'ing in, and just affect the 'standard users' or as you say 'domain users'.

But, when you say "drop your Terminal Servers there" in regard to the OU in Active Directory, are you referring to the group "Terminal Servers" ?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Damian

ASKER

Thanks again Alex !

Just a little confused about what you meant by...

"Ahhh ok

Create a new OU

Drop your Terminal servers in there"

..So... you mean put the Terminal Server, in my case my TS & DC in the newly created OU?!


Cheers!
Avatar of Damian

ASKER

Further to that

PS. does Group Policy (in a users remote session) give me, the admin, the ability to change the location of where the user profiles are stored?
I agree with MAL, what you're trying to do is best on a separate TS server.  If you have SBS premium version then it should have came with additional standard server license which you can use a TS.

If you still insist of doing this on SBS, I think the best thing to do is create a group policy for each different desktop profile then enforce this policy on the users in that group via GPO.  Here is an article on where to look "Manage User Profiles for Remote Desktop Services" should get you started on the right path.

https://technet.microsoft.com/en-us/library/cc742820(v=ws.11).aspx
Avatar of Damian

ASKER

Thanks Wayne & Mal,

I can appreciate that having a Terminal Server on a domain controller is not ideal.

But this needs to be done within the confines of the existing hardware, there is no additional budget to purchase an additional server.
In that case then I would first create a special remote desktop user group and assign strict desktop profile to that group via GPO.  So they will get limited controls when loggin on via remote desktop.
Avatar of Damian

ASKER

Hi Wayne,

Thanks for your quick response.

So far, I have created an OU in AD Users & Groups titled "Restricted remote desktop".
In Group Policy Management, I have created a GPO for this OU with the same title.  I have edited the policy and prohibited access to various things like 'command prompt', 'control panel' and many other things.

But here's where I seem to be getting lost, the "Restricted remote desktop" GPO's 'Security Filtering' contains "Authenticated Users" and in Active Directory the "Restricted Remote Desktop" OU contains my 'test' user (member of Domain Users).  But I'm concerned this GPO affect local users desktop profiles, correct?
Hi DamoDiggler,

I believe in the security filtering you just apply it to the "Restricted remote desktop group" (add this) instead of all "authenticated users" (remove this from security filtering).

It's almost the same was as you would create a GPO to only map department printer to people in that group/department.

Once done, let's test it and open CMD windows then do a "GUPDATE /FORCE" on the SBS and client.  Then try RDP again.

Wayne
Avatar of Damian

ASKER

Hi Wayne,

Thanks again for your prompt response.

What you said makes perfect sense, but I am not seeing my AD OU "Restricted Remote Desktop" as available options when I try to 'Add' to the GPO's "Security Filtering" list... I can see everything else from AD though.
Hi DamoDiggler, did you create security group called "Restricted Remote Desktop"
Avatar of Damian

ASKER

I created an Active Directory Organizational Unit called "Restricted Remote Desktop", the icon has a small book over the folder... I can add "users" if I wanted too, so I'm assuming Security Filtering can only add users & groups and not an actual OU...
I checked my AD and I selected specific security group for specific GPO.  In any case, you can try applying to an OU and test.

"In the Enter the object name to select box, type the name of the group, user, or computer that you want to add to the security filter. "

https://technet.microsoft.com/en-us/library/cc752992(v=ws.11).aspx
Avatar of Damian

ASKER

Ok, well I assume you cant add an OU to an OU. Adding to Security Filtering seems to work fine when selecting Groups and Users, which is no biggie, I'll just create a group of users in AD instead of an OU.
Let me know how it goes.  Have a good evening.
Avatar of Damian

ASKER

hmmm.. not having much luck with this, my test user 'john' is part of 'domain users' & 'restricted remote desktop' which has the GPO that does all the RD restriction.  But when I log in to RD he now has a full environment. If I take out 'domain users' John no longer can log in to Remote Desktop at all

:\
Setup MYOB as a remote app.
What happens when you do RSOP (Resultant Set of Policy) to see how the policy affect the group?  Just curious to see if it got applied correctly.
Good evening DamoDiggler.  The GP you created may have crashed before it finished and hence not applying as should.

That error seems to be related to IE11.  Did you have any policy for IE?  If yes, try not setting any policy for IE then reapply the GP or you can try the solutions as mentioned here:

But if you are not able to get the problem solved, or even get another error from different line and column, try this.
(1) download 'administrative templates for internet explorer' from https://www.microsoft.com/en-us/download/details.aspx?id=40905
(2) extract, copy and paste en-us\inetres.adml file to C:\Windows\PolicyDefinitions\en-us to overwrite
for example, if you are using japanese IE, copy and paste ja-jp\inetres.adml file to C:\Windows\PolicyDefinitions\ja-jp
(3) you may also overwrite C:\Windows\PolicyDefinitions\inetres.admx file if it is stilll unsolved.
But i was able to get it solved just by following 2. (1)~(2) without the process of 1. and 2.(3).

https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-upgrade-produces-an-error-in-gpeditmsc/eed8da4a-dfa2-41f3-a23f-0a2dbcd345f7?auth=1
Avatar of Damian

ASKER

Hi Wayne,

Thanks very much for your quick response.. I have not set any Internet Explorer 11 policies at all... I didn't know SBS 2008 R2 was even around when IE11 was out, but I will go through and carefully check on any policies relating to it and update this thread.


Cheers
Hi DamoDaggler, not a problem at all.  I have never come across that error before so I am relying on Google to tell me what it is and it seems like in pertains to IE11.  Another idea is to create another group policy and make it really simple then add more policies to it in increment so you can test what got applied and what didn't.  Just a thought.
Avatar of Damian

ASKER

FYI,

I decided to delete the 'corrupt' policy pertaining to the Remote Desktop Users OU, and start a clean policy linked to the Remote Desktop GPO, but still got that same error.. so I'm assuming some of my default templates may be corrupt.

User generated image
I would start with a fresh template then add policies in increment in this case.  Good luck and let us know how it goes.
Avatar of Damian

ASKER

Thanks Wayne,

I'll follow those links you provided and refresh the templates.


I'll update the forum shortly.


Cheers
Avatar of Damian

ASKER

Just to update: Strangely, the templates did not need replacing... after some time, I went back in to try another plan of attack, and a RSoP did not result in an error which is good news.

How ever, if Alex Green, or anyone else that knows what he meant by "Drop your Terminal servers in there" in an earlier response... that would be great.
Avatar of Damian

ASKER

I was able to eventually unravel this. For others out there wanting to achieve the same. I created an OU in Active Directory called "Restricted RDS", placed an Active Directory user-group under it, and added a user to that group.  Then I went into Group Policy Management and created a new GPO rule (with heavy restrictions on the desktop environment) and linked it to the Group Policy "Restricted RDS" OU. Finally, I put "Remote Desktop Users" in under that GPO's Security Filtering.

Ran a command line 'gpupdate /force', logged in as that user I placed into the AD group (under Restricted RDS) and voilah.. restricted desktop without harming the users local PC desktop environment.

Thanks to Wayne88 and Alex Green for their assistance.