Damian
asked on
Creating a fool proof Remote Desktop Environment on SBS 2008 R2
Hey people,
I am pondering a good method to limit users Remote Desktop environments, without restricting their local desktop environments. For example 1 particular standard user: John, logs into his Windows desktop PC, can send email, can edit his control panel preferences, open Word, Excel etc, but then logs into the Remote Desktop Server and can only open MYOB... no access, to start menu, control panel or doing anything silly... like shutdown the server.
I've seen this before, from what I gathered.. it could have been achieved with a bit of Group Policy workmanship, if I am not mistaken.
Remote Desktop is running on Windows SBS 2008 R2. Clients are Windows 7.
I am pondering a good method to limit users Remote Desktop environments, without restricting their local desktop environments. For example 1 particular standard user: John, logs into his Windows desktop PC, can send email, can edit his control panel preferences, open Word, Excel etc, but then logs into the Remote Desktop Server and can only open MYOB... no access, to start menu, control panel or doing anything silly... like shutdown the server.
I've seen this before, from what I gathered.. it could have been achieved with a bit of Group Policy workmanship, if I am not mistaken.
Remote Desktop is running on Windows SBS 2008 R2. Clients are Windows 7.
It's called server hardening
https://www.newnettechnologies.com/server-hardening-policy.html#operating-system-configuration
There are loads of websites, via google. However, I'd set up a group policy, apply it to your user OU and then lock it down from there.
Cheers
https://www.newnettechnologies.com/server-hardening-policy.html#operating-system-configuration
There are loads of websites, via google. However, I'd set up a group policy, apply it to your user OU and then lock it down from there.
Cheers
ASKER
Thanks Alex Green,
So I guess my question then becomes how do you prevent affecting the users local computer (domain-joined) profile, so their local profile doesn't succumb to the same stringent Remote Desktop policy?
So I guess my question then becomes how do you prevent affecting the users local computer (domain-joined) profile, so their local profile doesn't succumb to the same stringent Remote Desktop policy?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Alex,
I actually wanted to keep Remote Desktop Users, as default, to allow a full experience for administrators RD'ing in, and just affect the 'standard users' or as you say 'domain users'.
But, when you say "drop your Terminal Servers there" in regard to the OU in Active Directory, are you referring to the group "Terminal Servers" ?
I actually wanted to keep Remote Desktop Users, as default, to allow a full experience for administrators RD'ing in, and just affect the 'standard users' or as you say 'domain users'.
But, when you say "drop your Terminal Servers there" in regard to the OU in Active Directory, are you referring to the group "Terminal Servers" ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks again Alex !
Just a little confused about what you meant by...
"Ahhh ok
Create a new OU
Drop your Terminal servers in there"
..So... you mean put the Terminal Server, in my case my TS & DC in the newly created OU?!
Cheers!
Just a little confused about what you meant by...
"Ahhh ok
Create a new OU
Drop your Terminal servers in there"
..So... you mean put the Terminal Server, in my case my TS & DC in the newly created OU?!
Cheers!
ASKER
Further to that
PS. does Group Policy (in a users remote session) give me, the admin, the ability to change the location of where the user profiles are stored?
PS. does Group Policy (in a users remote session) give me, the admin, the ability to change the location of where the user profiles are stored?
I agree with MAL, what you're trying to do is best on a separate TS server. If you have SBS premium version then it should have came with additional standard server license which you can use a TS.
If you still insist of doing this on SBS, I think the best thing to do is create a group policy for each different desktop profile then enforce this policy on the users in that group via GPO. Here is an article on where to look "Manage User Profiles for Remote Desktop Services" should get you started on the right path.
https://technet.microsoft.com/en-us/library/cc742820(v=ws.11).aspx
If you still insist of doing this on SBS, I think the best thing to do is create a group policy for each different desktop profile then enforce this policy on the users in that group via GPO. Here is an article on where to look "Manage User Profiles for Remote Desktop Services" should get you started on the right path.
https://technet.microsoft.com/en-us/library/cc742820(v=ws.11).aspx
ASKER
Thanks Wayne & Mal,
I can appreciate that having a Terminal Server on a domain controller is not ideal.
But this needs to be done within the confines of the existing hardware, there is no additional budget to purchase an additional server.
I can appreciate that having a Terminal Server on a domain controller is not ideal.
But this needs to be done within the confines of the existing hardware, there is no additional budget to purchase an additional server.
In that case then I would first create a special remote desktop user group and assign strict desktop profile to that group via GPO. So they will get limited controls when loggin on via remote desktop.
ASKER
Hi Wayne,
Thanks for your quick response.
So far, I have created an OU in AD Users & Groups titled "Restricted remote desktop".
In Group Policy Management, I have created a GPO for this OU with the same title. I have edited the policy and prohibited access to various things like 'command prompt', 'control panel' and many other things.
But here's where I seem to be getting lost, the "Restricted remote desktop" GPO's 'Security Filtering' contains "Authenticated Users" and in Active Directory the "Restricted Remote Desktop" OU contains my 'test' user (member of Domain Users). But I'm concerned this GPO affect local users desktop profiles, correct?
Thanks for your quick response.
So far, I have created an OU in AD Users & Groups titled "Restricted remote desktop".
In Group Policy Management, I have created a GPO for this OU with the same title. I have edited the policy and prohibited access to various things like 'command prompt', 'control panel' and many other things.
But here's where I seem to be getting lost, the "Restricted remote desktop" GPO's 'Security Filtering' contains "Authenticated Users" and in Active Directory the "Restricted Remote Desktop" OU contains my 'test' user (member of Domain Users). But I'm concerned this GPO affect local users desktop profiles, correct?
Hi DamoDiggler,
I believe in the security filtering you just apply it to the "Restricted remote desktop group" (add this) instead of all "authenticated users" (remove this from security filtering).
It's almost the same was as you would create a GPO to only map department printer to people in that group/department.
Once done, let's test it and open CMD windows then do a "GUPDATE /FORCE" on the SBS and client. Then try RDP again.
Wayne
I believe in the security filtering you just apply it to the "Restricted remote desktop group" (add this) instead of all "authenticated users" (remove this from security filtering).
It's almost the same was as you would create a GPO to only map department printer to people in that group/department.
Once done, let's test it and open CMD windows then do a "GUPDATE /FORCE" on the SBS and client. Then try RDP again.
Wayne
ASKER
Hi Wayne,
Thanks again for your prompt response.
What you said makes perfect sense, but I am not seeing my AD OU "Restricted Remote Desktop" as available options when I try to 'Add' to the GPO's "Security Filtering" list... I can see everything else from AD though.
Thanks again for your prompt response.
What you said makes perfect sense, but I am not seeing my AD OU "Restricted Remote Desktop" as available options when I try to 'Add' to the GPO's "Security Filtering" list... I can see everything else from AD though.
Hi DamoDiggler, did you create security group called "Restricted Remote Desktop"
ASKER
I created an Active Directory Organizational Unit called "Restricted Remote Desktop", the icon has a small book over the folder... I can add "users" if I wanted too, so I'm assuming Security Filtering can only add users & groups and not an actual OU...
I checked my AD and I selected specific security group for specific GPO. In any case, you can try applying to an OU and test.
"In the Enter the object name to select box, type the name of the group, user, or computer that you want to add to the security filter. "
https://technet.microsoft.com/en-us/library/cc752992(v=ws.11).aspx
"In the Enter the object name to select box, type the name of the group, user, or computer that you want to add to the security filter. "
https://technet.microsoft.com/en-us/library/cc752992(v=ws.11).aspx
ASKER
Ok, well I assume you cant add an OU to an OU. Adding to Security Filtering seems to work fine when selecting Groups and Users, which is no biggie, I'll just create a group of users in AD instead of an OU.
Let me know how it goes. Have a good evening.
ASKER
hmmm.. not having much luck with this, my test user 'john' is part of 'domain users' & 'restricted remote desktop' which has the GPO that does all the RD restriction. But when I log in to RD he now has a full environment. If I take out 'domain users' John no longer can log in to Remote Desktop at all
:\
:\
Setup MYOB as a remote app.
What happens when you do RSOP (Resultant Set of Policy) to see how the policy affect the group? Just curious to see if it got applied correctly.
Good evening DamoDiggler. The GP you created may have crashed before it finished and hence not applying as should.
That error seems to be related to IE11. Did you have any policy for IE? If yes, try not setting any policy for IE then reapply the GP or you can try the solutions as mentioned here:
But if you are not able to get the problem solved, or even get another error from different line and column, try this.
(1) download 'administrative templates for internet explorer' from https://www.microsoft.com/en-us/download/details.aspx?id=40905
(2) extract, copy and paste en-us\inetres.adml file to C:\Windows\PolicyDefinitio ns\en-us to overwrite
for example, if you are using japanese IE, copy and paste ja-jp\inetres.adml file to C:\Windows\PolicyDefinitio ns\ja-jp
(3) you may also overwrite C:\Windows\PolicyDefinitio ns\inetres .admx file if it is stilll unsolved.
But i was able to get it solved just by following 2. (1)~(2) without the process of 1. and 2.(3).
https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-upgrade-produces-an-error-in-gpeditmsc/eed8da4a-dfa2-41f3-a23f-0a2dbcd345f7?auth=1
That error seems to be related to IE11. Did you have any policy for IE? If yes, try not setting any policy for IE then reapply the GP or you can try the solutions as mentioned here:
But if you are not able to get the problem solved, or even get another error from different line and column, try this.
(1) download 'administrative templates for internet explorer' from https://www.microsoft.com/en-us/download/details.aspx?id=40905
(2) extract, copy and paste en-us\inetres.adml file to C:\Windows\PolicyDefinitio
for example, if you are using japanese IE, copy and paste ja-jp\inetres.adml file to C:\Windows\PolicyDefinitio
(3) you may also overwrite C:\Windows\PolicyDefinitio
But i was able to get it solved just by following 2. (1)~(2) without the process of 1. and 2.(3).
https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-upgrade-produces-an-error-in-gpeditmsc/eed8da4a-dfa2-41f3-a23f-0a2dbcd345f7?auth=1
ASKER
Hi Wayne,
Thanks very much for your quick response.. I have not set any Internet Explorer 11 policies at all... I didn't know SBS 2008 R2 was even around when IE11 was out, but I will go through and carefully check on any policies relating to it and update this thread.
Cheers
Thanks very much for your quick response.. I have not set any Internet Explorer 11 policies at all... I didn't know SBS 2008 R2 was even around when IE11 was out, but I will go through and carefully check on any policies relating to it and update this thread.
Cheers
Hi DamoDaggler, not a problem at all. I have never come across that error before so I am relying on Google to tell me what it is and it seems like in pertains to IE11. Another idea is to create another group policy and make it really simple then add more policies to it in increment so you can test what got applied and what didn't. Just a thought.
ASKER
I would start with a fresh template then add policies in increment in this case. Good luck and let us know how it goes.
ASKER
Thanks Wayne,
I'll follow those links you provided and refresh the templates.
I'll update the forum shortly.
Cheers
I'll follow those links you provided and refresh the templates.
I'll update the forum shortly.
Cheers
ASKER
Just to update: Strangely, the templates did not need replacing... after some time, I went back in to try another plan of attack, and a RSoP did not result in an error which is good news.
How ever, if Alex Green, or anyone else that knows what he meant by "Drop your Terminal servers in there" in an earlier response... that would be great.
How ever, if Alex Green, or anyone else that knows what he meant by "Drop your Terminal servers in there" in an earlier response... that would be great.
ASKER
I was able to eventually unravel this. For others out there wanting to achieve the same. I created an OU in Active Directory called "Restricted RDS", placed an Active Directory user-group under it, and added a user to that group. Then I went into Group Policy Management and created a new GPO rule (with heavy restrictions on the desktop environment) and linked it to the Group Policy "Restricted RDS" OU. Finally, I put "Remote Desktop Users" in under that GPO's Security Filtering.
Ran a command line 'gpupdate /force', logged in as that user I placed into the AD group (under Restricted RDS) and voilah.. restricted desktop without harming the users local PC desktop environment.
Thanks to Wayne88 and Alex Green for their assistance.
Ran a command line 'gpupdate /force', logged in as that user I placed into the AD group (under Restricted RDS) and voilah.. restricted desktop without harming the users local PC desktop environment.
Thanks to Wayne88 and Alex Green for their assistance.
If just want users to use MYOB, then it might be best to publish this as a remote app.
https://social.technet.microsoft.com/wiki/contents/articles/2345.publish-a-remoteapp-application-on-remote-desktop-service.aspx