none
WMI filtering / GPO for non domain members RRS feed

  • Question

  • Hi all,

    Our customer make use of a Windows Server 2008 R2 RDS. We use some thin clients and win7 workstations to connect with it inside our domain.

    We had a policy for automatic screen lock and secure with password, but they doesnt want to use it anymore for the users who's working internally. So i disabled this policy.

    What they want is a policy for all homeworkers or users connecting from an internet cafe or something. So if they are not connecting from a specific subnet or domain, the screens have to lock automatically after a few minutes.

    Does anyone know how i can do this? Do i have to create a WMI filter for computers which are not domain members or do i have to do this for a specific subnet?

    Thanks!

    Kind regards, Raymond

    Thursday, June 12, 2014 10:13 AM

Answers

  • This has nothing to do with domain non-domain.  Thin clients are not domain computers.

    As I noted.  There is really no way to detect that a client is coming from the WAN.  YOU can create a separate RDP connector for WAN connections and detect connections on that endpoint.  This is how I do this or, preferably, use a separate server for external connections which allows for even more security.


    ¯\_(ツ)_/¯

    • Marked as answer by Raym0ndh Thursday, June 12, 2014 3:00 PM
    Thursday, June 12, 2014 2:58 PM

All replies

  • As far as I know it cannot be done via Group Policy.  Connections to RDS are not filtered in that way,  You can create a second RDP end pointand use that for external connections.  This can be used as a way of detecting who is remotely connected and then forcing the screensaver on.

    There is no way through WMI or other tools to do this.


    ¯\_(ツ)_/¯

    Thursday, June 12, 2014 1:53 PM
  • I thought I should clarify this based on your question:

    You say you want filtering based on "non-domain users".  Are you saying you have users connecting in that are not using AD accounts?  How are you doing this?  Are they using local accounts on the server?

    How are you allowing non-domain accounts to connect? Where are the accounts defined?

    Maybe you really are asking qabout domain users connecting from the WAN and not from the LAN.  Is that what you are trying to ask?


    ¯\_(ツ)_/¯

    Thursday, June 12, 2014 2:23 PM
  • Thanks for reply!

    I mean "non-domain computers". So if a user connects to terminal server in the office, the session dont have to lock automatically. But if the same user is working from home or an other public location, the remote session have to lock automatically after a few minutes for security reasons.

    Hope you understand what i mean?

    Thanks!

    Thursday, June 12, 2014 2:40 PM
  • This has nothing to do with domain non-domain.  Thin clients are not domain computers.

    As I noted.  There is really no way to detect that a client is coming from the WAN.  YOU can create a separate RDP connector for WAN connections and detect connections on that endpoint.  This is how I do this or, preferably, use a separate server for external connections which allows for even more security.


    ¯\_(ツ)_/¯

    • Marked as answer by Raym0ndh Thursday, June 12, 2014 3:00 PM
    Thursday, June 12, 2014 2:58 PM
  • Thanks, we gonna use a separate server for the external connections.
    • Edited by Raym0ndh Thursday, June 12, 2014 3:02 PM
    Thursday, June 12, 2014 3:01 PM
  • Or a separate RDP connection with its own IP.

    ¯\_(ツ)_/¯

    Thursday, June 12, 2014 3:16 PM