none
limited access for remote app user. (windows server 2012)

    Question

  •  Hi I am trying to figure out how to restrict a remote app user connection to only specific folders in windows server 2012 and also setup a quota for this specific folder.


    Wednesday, July 17, 2013 5:49 PM

All replies

  • Hi ,

    Thank you for posting your issue in the forum.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Andy Qi
    TechNet Community Support

    Friday, July 19, 2013 7:54 AM
    Moderator
  • So far so good, I have disabled the favorites, library's and local drives using the first link. I did't know how to change the ownership /permission in regedit. here are the steps.. they are windows8 menu's and slightly different but easy to follow.

    Enable Control to Edit permissions in Regedit Option 3 . steps 1-12

    http://www.eightforums.com/tutorials/2808-take-ownership-file-folder-drive-registry-key-windows-8-a.html


    • Edited by WildHare Friday, July 19, 2013 9:53 PM typoo
    Friday, July 19, 2013 9:52 PM
  • One issue I see with this method below, yes you can't see the drivers from Remote App program, but if you type  \\computerName(remoteAppServer)\c:  in the file save dialog you can see the remote drive/s.

    I need a more secure way of removing the drives from the Remote App users..?

    http://blogs.msdn.com/b/rds/archive/2011/05/26/how-to-restrict-users-from-accessing-local-drives-of-an-rd-session-host-server-while-using-remoteapp-programs.aspx



    • Edited by WildHare Monday, July 22, 2013 5:52 PM typo
    Friday, July 19, 2013 11:08 PM
  • Hi,

    Regarding the issue that how to take ownership, the post you provided is correct talking about the steps.

    For your another concern that removing drives from RemoteApp users, we can configure User Configuration--Administrative Templates--Windows Components--Windows Explorer--Hide these specified drives in My Computer group policy. For more information abou the GP, please refer to below KB:

    http://support.microsoft.com/kb/231289

    Regards,

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, July 24, 2013 8:04 AM
  • The drives don't show up in My computer or Explorer but they can be accessed via a network share \\computerName\c$\

    I need to eliminate this access..?

    Image below: remoteApp paint, shows local drives only (good) but if I type \\conputerName\c$\ I can see remote drives (bad)



    • Edited by WildHare Thursday, July 25, 2013 5:48 PM logo
    Thursday, July 25, 2013 5:41 PM
  • To fix this:

    I created a group on the domain controller called RemoteAppUsers and added all the Remote App users to that group. Then I add that group to the NTFS permissions and removed all the file permissions from the servers local c: d: drive for the RemoteAppUser group.

    Next step: I want to create a folder per RemoteApp user that has a storage quota and this folder is only available (visible) to that particular RemoteApp user (users can only see their specific folders).


    • Edited by WildHare Friday, July 26, 2013 8:27 PM addition
    Friday, July 26, 2013 8:15 PM
  • Hi,

    I have read the posts above and trying to figure out if this is really the default behavior for RemoteApp users.

    I have set up a Windows 2012 RDS farm.

    In AD I created a group called Excel Users that is not a member of any other group.

    I created a user - Exceluser01 which is a member of the Excel Users group only (removed domain users).

    When this user runs the application via RDWEB, it opens fine and the user can use the Excel with no problems.

    The problem (for me as an administrator) starts when the user goes to "Save As" - at this point it seems like

    the user has ADMIN rights !!! to all the drives on this RDSH. This means that the user can modify file names, folder names, etc. anywhere in the system, and of course save the excel file anywhere in the system.

    My guess is that a RemoteApp user automatically gains access as an administrator running remote desktop.

    Is creating group policies the only way to restrict RemoteApp users from accessing the server's file system ?

    Shouldn't active directory be the main authority to indicate that a very low level user won't get admin rights ever ?

    Thursday, January 15, 2015 6:49 PM