Remove From My Forums

limited access for remote app user. (windows server 2012)

Question

0

Sign in to vote

Hi I am trying to figure out how to restrict a remote app user connection to only specific folders in windows server 2012 and also setup a quota for this specific folder.

Wednesday, July 17, 2013 5:49 PM

Reply

|

Quote

All replies

0

Sign in to vote

Hi ,

Thank you for posting your issue in the forum.

I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

Thank you for your understanding and support.

Best Regards,

Andy Qi

TechNet Subscriber Support

If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Andy Qi
TechNet Community Support

Friday, July 19, 2013 7:54 AM

Reply

|

Quote

Moderator

0

Sign in to vote

Hi,

Wish below Blogs can help you:

http://blogs.msdn.com/b/rds/archive/2011/05/26/how-to-restrict-users-from-accessing-local-drives-of-an-rd-session-host-server-while-using-remoteapp-programs.aspx
http://blog.concurrency.com/infrastructure/rds8-quick-and-easy-remoteapp-on-windows-server-2012/
http://blogs.technet.com/b/yungchou/archive/2013/02/07/remote-desktop-services-rds-quick-start-deployment-for-remoteapp-windows-server-2012-style.aspx
http://blogs.technet.com/b/askperf/archive/2012/10/30/windows-8-windows-server-2012-remote-desktop-management-server.aspx

Regards,
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Friday, July 19, 2013 11:00 AM

Reply

|

Quote

0

Sign in to vote
So far so good, I have disabled the favorites, library's and local drives using the first link. I did't know how to change the ownership /permission in regedit. here are the steps.. they are windows8 menu's and slightly different but easy to follow.

Enable Control to Edit permissions in Regedit Option 3 . steps 1-12

http://www.eightforums.com/tutorials/2808-take-ownership-file-folder-drive-registry-key-windows-8-a.html
- Edited by WildHare Friday, July 19, 2013 9:53 PM typoo
Friday, July 19, 2013 9:52 PM

Reply

|

Quote

0

Sign in to vote
One issue I see with this method below, yes you can't see the drivers from Remote App program, but if you type \\computerName(remoteAppServer)\c: in the file save dialog you can see the remote drive/s.

I need a more secure way of removing the drives from the Remote App users..?

http://blogs.msdn.com/b/rds/archive/2011/05/26/how-to-restrict-users-from-accessing-local-drives-of-an-rd-session-host-server-while-using-remoteapp-programs.aspx
- Edited by WildHare Monday, July 22, 2013 5:52 PM typo
Friday, July 19, 2013 11:08 PM

Reply

|

Quote

0

Sign in to vote

Hi,

Regarding the issue that how to take ownership, the post you provided is correct talking about the steps.

For your another concern that removing drives from RemoteApp users, we can configure User Configuration--Administrative Templates--Windows Components--Windows Explorer--Hide these specified drives in My Computer group policy. For more information abou the GP, please refer to below KB:

http://support.microsoft.com/kb/231289

Regards,

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Wednesday, July 24, 2013 8:04 AM

Reply

|

Quote

0

Sign in to vote
The drives don't show up in My computer or Explorer but they can be accessed via a network share \\computerName\c$\

I need to eliminate this access..?

Image below: remoteApp paint, shows local drives only (good) but if I type \\conputerName\c$\ I can see remote drives (bad)
- Edited by WildHare Thursday, July 25, 2013 5:48 PM logo
Thursday, July 25, 2013 5:41 PM

Reply

|

Quote

0

Sign in to vote
To fix this:

I created a group on the domain controller called RemoteAppUsers and added all the Remote App users to that group. Then I add that group to the NTFS permissions and removed all the file permissions from the servers local c: d: drive for the RemoteAppUser group.

Next step: I want to create a folder per RemoteApp user that has a storage quota and this folder is only available (visible) to that particular RemoteApp user (users can only see their specific folders).
- Edited by WildHare Friday, July 26, 2013 8:27 PM addition
Friday, July 26, 2013 8:15 PM

Reply

|

Quote

0

Sign in to vote

Hi,

I have read the posts above and trying to figure out if this is really the default behavior for RemoteApp users.

I have set up a Windows 2012 RDS farm.

In AD I created a group called Excel Users that is not a member of any other group.

I created a user - Exceluser01 which is a member of the Excel Users group only (removed domain users).

When this user runs the application via RDWEB, it opens fine and the user can use the Excel with no problems.

The problem (for me as an administrator) starts when the user goes to "Save As" - at this point it seems like

the user has ADMIN rights !!! to all the drives on this RDSH. This means that the user can modify file names, folder names, etc. anywhere in the system, and of course save the excel file anywhere in the system.

My guess is that a RemoteApp user automatically gains access as an administrator running remote desktop.

Is creating group policies the only way to restrict RemoteApp users from accessing the server's file system ?

Shouldn't active directory be the main authority to indicate that a very low level user won't get admin rights ever ?

Thursday, January 15, 2015 6:49 PM

Reply

|

Quote