I need to restrict access to some folders by RDP users

Am having a challenge with my MS Windows Server 2012r2 folder permissions.
I setup Active Directory and all is fine with folder access local network, however, the problem is all the RDP users have access to restricted folders.
I have specified some shared folders to be accessed by specific users. e.g. Payroll folder to be accessed by accounts dept only, however,  all the user that are accessing the server via RDP are able to access those restricted folders.
Your assistance will be appreciated.
Francis BandaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
You really haven't given enough information.  

I have specified some shared folders to be accessed by specific users. e.g. Payroll folder to be accessed by accounts dept only, however,  all the user that are accessing the server via RDP are able to access those restricted folders.
Your assistance will be appreciated.

How did you "restrict" these folders?  Share Permissions?  NTFS Permissions?  What exactly did you set?  It should be NTFS permissions that are set - share permissions only affect network access, not local access.  Screen shots of the permissions would be ideal if you want help - if you need help with getting/posting them, please see my article:  https://www.experts-exchange.com/articles/29715/Effective-Screenshots.html
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Are using your DC as an RDS server? This isn't the wisest direction(IMO) but since you're there already, I suggest:
- you implement a GPO to hide/restrict A~D drives.
- share the directories you want to be accessed
- Map the shared folders to letters such as G or H

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Schnell SolutionsSystems Infrastructure EngineerCommented:
Hello,

Here some notes just in case.

1. If your folders are locally in the same RDP server. You should control the permissions at the disk level (NTFS) and not at the Share level.
2. Regularly, many RDP users are members of special groups that allow them to RDP into the server and execute some additional tasks. Take care with group nesting (groups into groups) and review carefully the groups that you are assigning the permissions to.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

nappy_dThere are a 1000 ways to skin the technology cat.Commented:
You could also enable folder enumeration so that based on permissions they would or would not see directories.
Shaun VermaakTechnical SpecialistCommented:
I setup Active Directory and all is fine with folder access local network, however, the problem is all the RDP users have access to restricted folders.
Chances are you added these users into elevated groups such as Administrators, DA etc. All they need is RDP users

Secure other admins with this process
https://www.experts-exchange.com/articles/29596/Securing-Active-Directory-Administrators-Groups.html

If you did give them DA/Admin, you created a situation where they could have obtained all password hashes
https://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.html
Francis BandaAuthor Commented:
Hi all,

Thanks for the suggestions am working on them, i was away in the bush where there was no internet access (am in Zambia).
I will revert shortly.

Thanks.
Francis.
Francis BandaAuthor Commented:
Hi All,

Thank you very much i was able to resolve the problem.
As suggested by nappy_d and Schnell Solutions, I read up on Folder enumeration and Group policy and i have achieved my desired solution.

Thanks alot!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.