Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to restrict RDP users to the desktop 2

Status
Not open for further replies.

tviman

Programmer
Jul 25, 2002
2,123
US
How can I restrict remote desktop users to just the server desktop? I don't want them to have the the ability to use anything on the start menu, file explorer, the system tray, etc. Just the server desktop they log into and the icons placed there. Is this possible?
 
I don't know how to do that, but there's another product that may give you the end result you're looking for. Citrix has the ability to put the icons on the user's desktop. Then when they double click to run it, the app's user interface with all windows and dialog boxes displays on their workstation, but the app is actually running on the server using all of its resources. Kind of like remote desktop without the desktop.

Citrix is very mature technology. In fact Citrix was the solution for sharing desktops before Windows copied it as their RDP.
 
I lock down users by using Group Policy. You'll need to go through the various settings and remove various privileges. Create a Group Policy object and call it something like "Lockdown users". Set all the appropriate values to get as "locked-down" as you want and then assign that GPO to the users. It does take some work to do it, but you only have to do it once.
 
I will come across like a complete arsehole, however, should you be doing this kind of thing without some knowledge of what you ware doing?

How many users are you servcing with this server.

Apart from your original question, so many more are running through my mind with this environment. Spec of server vs number of users. Licencing. Apps like Office suite - then more licencing.



ACSS - SME
General Geek
 
I'm going to agree with Sambones on this one.

This sounds more like a Citrix XenApps solution, where you just "publish" the applications that you want users to have access to.

Plus, if you're just publishing the applications, you don't have the "full desktop overhead"


Just my $.02

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg
 
Not sure why we'd necessarily need to go XenApps, when this (running specific apps on the remote server) can be done with built-in functionality - Remote Desktop Services and RemoteApps
 
strongm:

The way I usually explain it is this.

If you need a full remote desktop, then Windows Terminal Services is sufficient.

However, if you only want to publish one app, XenApps is the way. You don't have the overhead of the whole windows desktop running, and you can specifically publish the app to the user that you want them to use.

I'm not familiar with RemoteApps; if it's similar, then great. But if it loads a whole desktop, then XenApps is still the way to go.

You can, of course, give a user a whole desktop with XenApps as well. XenApps is also pretty good at load balancing over multiple servers.



Just my $.02

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg
 
> if it's similar

Wouldn't 't have mentioned it otherwise.

>specifically publish the app to the user

As of W2K8 R2, yep

> load balancing
XenApps - and HorizonView - wins here
 
Windows Terminal Services, Web Access, is sufficient to publish Web apps, as many or as few as needed. This shows a 2012 setup, basically the same setup for the older Windows server operating systems.


Just using the RDP client to access a Windows server directly without the TS Gateway setup is a security risk. Allowing users to access your MAIN server is a security risk in itself, no less allowing access via port 3389 versus through port 443 (SSL).





........................................

"Computers in the future may weigh no more than 1.5 tons."
Popular Mechanics, 1949
 
Well, yes. RD Web Access is part of what I was referring to.
 
Web Access is great for "in the office" users but for users who are out of the office then you need an SSL certificate to use remote apps on Windows 2019. I was trying to avoid that expense, if possible.
 
>for users who are out of the office then you need an SSL certificate

You need a cert just for both RD Web Access and RD Gateway - so just how are you exposing your remote desktop to users who are out of the office?
 
An SSL cert is going to run you $8/year at NameCheap. It certainly shouldn't be an expense you work very hard to avoid.

Yet I see people spending hours to avoid having to get one. My time is worth more than that.

It's relatively easy to use native Microsoft tools to publish a single app to a user in pretty much the same fashion XenApp does.

Dave Shackelford
ThirdTier.net
 
>It's relatively easy to use native Microsoft tools to publish

Quite so!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top