Thank you for posting your issue in the forum.
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thank you for your understanding and support.
TechNet Community Support
Wish below Blogs can help you:
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
So far so good, I have disabled the favorites, library's and local drives using the first link. I did't know how to change the ownership /permission in regedit. here are the steps.. they are windows8 menu's and slightly different but easy to follow.
Enable Control to Edit permissions in Regedit Option 3 . steps 1-12http://www.eightforums.com/tutorials/2808-take-ownership-file-folder-drive-registry-key-windows-8-a.html
- Edited by WildHare Friday, July 19, 2013 9:53 PM typoo
One issue I see with this method below, yes you can't see the drivers from Remote App program, but if you type \\computerName(remoteAppServer)\c: in the file save dialog you can see the remote drive/s.
I need a more secure way of removing the drives from the Remote App users..?
- Edited by WildHare Monday, July 22, 2013 5:52 PM typo
Regarding the issue that how to take ownership, the post you provided is correct talking about the steps.
For your another concern that removing drives from RemoteApp users, we can configure User Configuration--Administrative Templates--Windows Components--Windows Explorer--Hide these specified drives in My Computer group policy. For more information abou the GP, please refer to below KB:
The drives don't show up in My computer or Explorer but they can be accessed via a network share \\computerName\c$\
I need to eliminate this access..?
Image below: remoteApp paint, shows local drives only (good) but if I type \\conputerName\c$\ I can see remote drives (bad)
- Edited by WildHare Thursday, July 25, 2013 5:48 PM logo
To fix this:
I created a group on the domain controller called RemoteAppUsers and added all the Remote App users to that group. Then I add that group to the NTFS permissions and removed all the file permissions from the servers local c: d: drive for the RemoteAppUser group.
Next step: I want to create a folder per RemoteApp user that has a storage quota and this folder is only available (visible) to that particular RemoteApp user (users can only see their specific folders).
- Edited by WildHare Friday, July 26, 2013 8:27 PM addition
I have read the posts above and trying to figure out if this is really the default behavior for RemoteApp users.
I have set up a Windows 2012 RDS farm.
In AD I created a group called Excel Users that is not a member of any other group.
I created a user - Exceluser01 which is a member of the Excel Users group only (removed domain users).
When this user runs the application via RDWEB, it opens fine and the user can use the Excel with no problems.
The problem (for me as an administrator) starts when the user goes to "Save As" - at this point it seems like
the user has ADMIN rights !!! to all the drives on this RDSH. This means that the user can modify file names, folder names, etc. anywhere in the system, and of course save the excel file anywhere in the system.
My guess is that a RemoteApp user automatically gains access as an administrator running remote desktop.
Is creating group policies the only way to restrict RemoteApp users from accessing the server's file system ?
Shouldn't active directory be the main authority to indicate that a very low level user won't get admin rights ever ?