Windows 2012r2 Remote desktop services: session based: Locked down
I am trying to lock down the remote desktop services sessions , just like I did with windows 2003 TS.
I am following this article :
http://www.it.ltsoy.com/windows/lock-down-remote-desktop-services-server-2012/
I have done till disable registry modifications.
I stopped to check if the changes made were in effect before continuing.
What did work is the disable server manager popup at user logon.
Nothing else seems to have taken effect: just to mention a few
Microsoft administrative tools,
network and sharing center.
ABCD drives are still being seen.
What did I miss ?
regards
Leopold
(first time I am doing gpo with > ms 2003) so maybe I am doing something wrong.)
Hi Leopold,
Here is related article below for you:
How to restrict users from accessing local drives of an RD Session Host server while using RemoteApp programs
http://blogs.msdn.com/b/rds/archive/2011/05/26/how-to-restrict-users-from-accessing-local-drives-of-an-rd-session-host-server-while-using-remoteapp-programs.aspx
If the group policy setting doesn’t take effect, please log off users then log back on.
If the issue persists, please run GPresult.exe to determine whether the setting is applied to users.
Gpresult
https://technet.microsoft.com/en-us/library/cc733160.aspx?f=255&MSPPError=-2147217396
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Similar Messages
-
Accessing ASDM through MS Remote Desktop Services session based system
I am setting up a MS Remote Desktop Services system for a client. This is being configured as a jump server so everyone at the client will go through this system (aka jump server) to access systems via ssh, https, etc that are in a restricted part of the network. I am running into a problem getting ASDM to work. I can bring up the initial web page directly on the server via Internet Explorer, so that tells me I can get to the ASA. I have installed Java 1.7.10 as this is the recommended version on looking at the Java site for Windows 2012. When I try to install the dm_launcher, it says that Java isnt installed..
Has anyone been able to get this to work ?
RonI've used ASDM fine from an RDS platform. I used Java 7 update 45. How are you trying to install the launcher?
Sent from Cisco Technical Support iPad App -
I have two domains. One is an account domain with a one way trust with the resource domain. Resource domain trusts the account domain and has a number of 2008R2 servers running within. I am experiencing severe logon delays
due to these servers being unable to access the server that hosts the user home folder specified directly on the user account profile tab from the account domain. When using my workstation in the actual account domain (corporate) I have no
problems.
Because of these network restrictions, I need to override the 2008R2's desire to access that user home folder location in the account domain.
So far the best thing I have found to try is Windows Components/remote desktop services/remote desktop session host/profile/Set Remote Desktop User Home Directory
The problem is that so far I have tried to configure this to point to both a local folder as well as a network path and it doesn't appear to be doing anything. Not seeing any errors in the app or system log either.
It is still trying to map the path in the account domain.
Any ideas?
Is there a better way to accomplish my goal? The servers in the resource domain will be Citrix servers and there will be a lot of users connecting from the account domain.
I tried this setting too, but it only seems to work on the 2012 machines in my Resource domain.
With the introduction of Windows 8 and Windows Server 2012 there is now a new group policy setting called “Set user home folder” and is found under Computer Configuration > Policies > Administrative Templates > System > User Profiles
Help!Hi,
This might be due to permission problems. Please check whether the user accounts for whose home folder to be redirected have permissions in the shared folder specified in the server.
Checkout the below link on Best Practice for creating Roaming Profile and Folder Redirection
http://www.grouppolicy.biz/2010/08/best-practice-roaming-profiles-and-folder-redirection-a-k-a-user-virtualization/
Regards,
Gopi
JiJi
Technologies -
Your Remote Desktop Services Session Has Ended - Occurs when running in background
Our remote desktop users are having an issues with the RD session ending whenever we are running it in the background. Namely the session will run as long as the computer is idle or I am actively working in RD. Within 4 minutes of leaving RD and working
in another application, I receive the message: Your Remote Desktop Services Session Has EndedYou are posting in the wrong forum. Post in the RDS forum for help with the RDS product.
¯\_(ツ)_/¯
Direct link:
https://social.technet.microsoft.com/Forums/en-us/home?forum=winserverTS%2CwinRDc&filter=alltypes&sort=lastpostdesc
Don't retire TechNet! -
(Don't give up yet - 13,085+ strong and growing) -
Questions in regards to server 2012R2 Remote desktop Service deployment and GPO
Hi Everyone
We have a business requirement moving to 2012R2 RDSH server. I have installed a 2012R2 member servers and enabled Remote desktop licensing role. I have activated the licenses. the servers is in operational
I have deployed 3 windows 2012R2 member server "RDS1" , "RDS2" and "RDS3".
on RDS1 I ran Add roles and Feature Wizard > Remote Desktop Services installation > Quick Start >Session based desktop deployment to complete the installation.
On RDS1 Server Manage Dashboard Page Select Remote Desktop Services > Overview. Under RD Licensing I added my 2012R2 license server "2012r2-tslic". Go to task. Edit deployment properties RD license mode to per device and click OK.
Reboot RDS1
Check RD Licensing Diagnoser everything is clear
On RDS2 I did the exact same thing ran Add roles and Feature Wizard > Remote Desktop Services installation > Quick Start >Session based desktop deployment to complete the installation.
But With RDS2 I move this server to an OU that link to a GPO with RD licensing details. after reboot the servers check RD Licensing Diagnoser I can see 2012r2-tslic specified as the license servers.
Based on this document
http://blogs.technet.com/b/askperf/archive/2013/09/20/rd-licensing-configuration-on-windows-server-2012.aspx Are you suppose to configure RD license server via Remote desktop Service deployment ? Not GPO ?
Here are my questions
We currently have ten 2008r2 terminal servers in a NLB cluster. each RDSH server have in house application installed on each one of them. User connect to the 2008R2 RDSH servers via RDP connection. we have a restricted GPO apply to those
RDSH servers. user cannot do anything on RDSH servers apart from running the application and use excel. On the remote desktop session host configuration we have enable settings like end a disconnected session , Active session limit ,
remote control users session , LPT port redirection.
We push out RD license server detail via GPO to the terminal servers
Can I use our existing GPO apply the licensing server settings , desktop restriction setting to the 2012R2 RDHS servers or we should be using Remote desktop Service deployment to do the job ? If that is the case how would you transfer the
current 2008r2 environment to 2012 using Remote desktop Service deployment. is that mean I have to manually configure 1 by 1.
Please help
Many thanksHi,
Please see my response to you in the other thread. Please contact me via email and I will go over the basic planning and deployment steps with you which will help clear things up and get you started off on the right foot.
You should only run through the wizard and create a RDS deployment once. Then you add the various servers (RDSH, RD Licensing, RD Gateway, etc), set Deployment properties, etc.
Thanks.
-TP -
Windows 2008 Remote Desktop Services - Word Spell Check
We are running Windows 2008 servers on our network with remote desktop services (terminal services). We currently experiencing a challenge with Word 2010. The spell check feature is not working, when you try and run it gives an error "Microsoft Word
can't check the spelling or grammar in this document. An error occurred and this feature is no longer functioning properly." After about 5 clicks it comes up with Cannot find the proofing tools for English (Australia). It eventually it works, need to
get it to work the first time. I have searched all around but can't seem to find the answer.I'd try them over here.
Word
2010 forum on Microsoft Answers
Word IT Pro forum on TechNet
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows]
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Prevent Remote Desktop 2008R2 session from locking after 10 mins of inactivity
Do you have a screensaver setup?
GPEDIT -> User configuration -> Administrative templates -> control panel -> display
Change screen saver to disabled, and screen saver timeout to a high value just in case.
Sometimes there are issues with screensaver settings stuck there is a reg fix for it as well:[HKEY_CURRENT_USER\Control Panel\Desktop] "ScreenSaverIsSecure"="0"Can someone direct me where to prevent the session from locking after 10 mins. I have read that this is a default behavior of 2008R2.
Thanks
This topic first appeared in the Spiceworks Community -
How to install the Remote Desktop Services role on a Windows 2012 R2 Server
Hello,
I am a bit confused on how to install the RDP role on a 2012 R2 server. I have a two server domain and would like to make the second member server an RDP server to host applications (Word, Excel, a medical software, etc.) where users from their windows
7 desktop will use the Remote Desktop Connection to connect to the server, create a session and do their work. When installing the role, I am prompted with two options:
1- Role-based or feature based installation
2- Remote Desktop services installation
I see the RDP install option in both cases.
1- Which one do I use?
2- What role services do I install? (Connection broker, Gateway, Licensing, Session Host, Virtualization host and Web access). I think I need the first four only.
3- When installing software after RDP, I use the Change user /install and Change user /execute commands. What happens to the software that is already installed? Can remote
users use those?
Any help will be very much appreciated.
Thank You,
Victor.TP,
Thank you for your response. I added the RD Licensing thru the Role-based option.
Also opened the local group policy thru gpedit.msc and added the server name and the licensing mode type to Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session
Host -> Licensing
Use the specified RD license servers = NameOfMyServer
Set the Remote Desktop licensing mode = TypeOfMyLicense (Per User in my case)
Thank you again,
Victor -
Onscreen Keyboard appears when shadowing session on 2012R2 Remote Desktop Session Host
As the title suggests, whenever I shadow a session on our 2012R2 RDSH server, the onscreen keyboard appears. The taskbar also unlocks.
Both of these behaviours mean that the user can tell when their session is being shadowed, which I don't always want to be the case - sometimes I want to be able to monitor the session without their knowledge.
Anyone know how I can stop this from happening?Hi,
Thank you for posting in Windows Server Forum.
Yeah, we can use the following command where we can take user shadow session without giving him any notification, and no need to approve by the user.
mstsc.exe /shadow:ID /v:ServerName /control /noConsentPrompt
But for this, we need to set the following group policy:
[Computer Configuration | User Configuration]
\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections
Set rules for remote control of Remote Desktop Services user sessions: Enable
Select the option: Full Control without User’s permission
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support -
To install Remote Desktop Services User CAL on Windows Server 2008 R2 Enterprise Edition with SP1
Dear Sir,
Presently we have installed Windows Server 2008 R2 Enterprise Edition with SP 1. And now i would like to install Remote Desktop Services User CAL on this server. I have 25 digit product key of Windows Server
2008 R2 Remote Desktop Services User CAL (20). Downloaded this product key from our MSDN Subscriptions.
Kindly suggest me how to install (CAL server with product key that i have) and configure remote desktop services on my above existing server also how to point other server with my CAL server.
ThanksHi,
1. Install Remote Desktop Session Host and Remote Desktop Licensing Role Services using Server Manager.
2. Open RD Licensing Manager (licmgr.exe), Activate your server, then install your license
3. In RD Session Host Configuration (tsconfig.msc), set the Licensing mode to Per User and Specify your RD Licensing server name (itself). If you want you may configure these two settings via group policy setting instead. The path of the
group policy settings is Computer Configuration\ Administrative Templates\ Windows Components\ Remote Desktop Services\ Remote Desktop Session Host\ Licensing
4. You may point other RDSH servers to your RD Licensing server using RD Session Host Configuration or via group policy as mentioned above.
5. Optionally you may consider installing other Remote Desktop Role Services such as RD Gateway, RD Web Access, RD Connection Broker, etc.
-TP -
Audio service hangs on Windows Server 2008R2 with Remote Desktop Services
Hello!
I have some terminal servers on Windows Server 2008R2. Users have the ability to use web browsers (IE, Firefox) with the included Flash Player, IM clients / Internet
telephony (Skype, ICQ), Windows Media Player, Office, and a specific internal software (works with MS SQL). I have the following problem: the Windows audio service hangs up that leads to hangup of all programs which use it, such as: any sites in Internet with
a flash content (in all browsers), ICQ, Skype.Even logging out the session hung when tried to lose a sound. It's impossible to stop or restart service from the services.msc the service just hang with status "restarting". To stop service I terminate svchost
process. As soon as the audio service is stopped - all programs start to work correctly (certainly without a sound). This problem appeared not suddenly - periodic hangups of programs on servers were marked long ago (more than half a year), but not directly
were connected to audio service, especially there were they rather rare (on the average once a week - two) and were corrected by server reset. The error message:
Error container , type 0
Event name: AppHangXProcB1
Reply: No data
Ident CAB: 0
Problem signature:
P1: iexplore.exe
P2: 9.0.8112.16446
P3: 4fb57c8f
P4: 77c1
P5: 131200
P6: svchost.exe:AudioClientRpc
P7: 0.0.0.0
P8:
P9:
P10:
shall suggest an idea about a sound service, but in Event Viewer has no Windows Audio events.
Recently I updated Skype to the last version 6.0.66.120. Before was 4.2.35.155 because versions 5хх on Windows2008R2 with the Remote Desctop Services actually don't
work, if users at the server more than one or two. We checked the sixth version by the test machine with the terminal environment and very were delighted to its normal working capacity. However after installation of this client on production servers it appeared
that hangups of programs on servers began to occur on the average time at an o'clock in case of an average daily load (about 20 users on one server). If you have worked one or two users, problems weren't watched. Internet search led me to the support page
Skype, where the Windows 7 x64 user faced a similar problem in the fifth version of the program. But the solutions proposed by the support team does not help me. In addition, I found the advice to disable enhancements in the properties of the playback device,
but it is impossible for the "Remote Audio" device.
At the moment, on servers where I updated the Skype, I disabled the audio service. If within a reasonable time, I do not find a solution, I will have to revert
to an older version of Skype, but I would like to solve the problem completely.Enable the Allow audio and video playback redirection Group Policy setting
To allow audio and video playback when connecting to a computer running Windows Server 2008 R2, you must enable the Allow audio and video playback redirection Group Policy setting. The Allow audio and video playback redirection Group Policy setting is located
in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection and can be configured by using either Local Group Policy Editor or the Group Policy Management
Console (GPMC).
For more information about Group Policy settings for Remote Desktop Services, see the Remote Desktop Services Technical Reference (http://go.microsoft.com/fwlink/?LinkId=138134).
Is this policy applied? Refer:
http://technet.microsoft.com/en-us/library/dd759165.aspx
Also, have you tried update the audio device driver for this terminal server? -
Windows 2012 Remote desktop session host server not detecting RD licensing server
Hi,
We have a customer server which is Windows 2012. We installed RDS session host server role and configured it to use RD licensing server as per the
https://support.microsoft.com/kb/2833839?wa=wsignin1.0
After configuring, when I open RD license diagonser tool, it says, RD license server is not available. Also shows, credential not available. When I enter the credential by clicking, provide credentials, it does not get applied. I see no event logs related
to RD service. However, I see the below event log which points to RD licensing server.
DCOM was unable to communicate with the computer <RD license server> using any of the configured protocols; requested by PID 273c (C:\Windows\system32\mmc.exe).
Please help in fixing the issue.
Thanks,
UmeshHi Umesh,
Thanks for your comment.
During your configuration, have you specified RD License server for RDSH to use?
You can also specify a license server for the RD Session Host server to use by applying the Group Policy under below path.
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing
Use the specified Remote Desktop license servers – Provide the FQDN of the license servers to use
Also this setting can be specified by below method.
To configure the license server on RDSH/RDVH:
$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
$obj.SetSpecifiedLicenseServerList("License.contoso.com")
Note “License” is the name of the License Server in the environment
To verify the license server configuration on RDSH/RDVH:
$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
$obj.GetSpecifiedLicenseServerList()
More information.
RD Licensing Configuration on Windows Server 2012
http://blogs.technet.com/b/askperf/archive/2013/09/20/rd-licensing-configuration-on-windows-server-2012.aspx
In addition you can refer this article for reference.
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support -
Setting Up Remote Desktop Services Windows 2012 DMZ
Hi
I'm new to the Windows 2012 RDS. I am trying to figure out some things.
I have an application that I would like to publish to the outside world to our customers.
Im thinking of using Windows 2012 remote desktop services and publish the app via web browser. So users go to the URL and see the application.
Do I need a client brooker and gateway server for this setup? or can i simply deploy a web access server on the dmz which then connects to my remote session host server inside?Hi,
To allow outside access into your RDS environment you would need to use the RD Gateway role. This can be configured on the same box as your RD Web Access role if resources are limited.
The RD Gateway role uses ether TCP 443 or UDP 3391 depending on what you have chosen to configure. You need to create a port forwarding rule from and to the gateway box using 443.
Have a look at the following articles:
http://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/
http://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/
This should assit with the configuration.
Best regards,
Ryan Mangan | Ryanmangansitblog.com | Help keep the forums tidy, if this has helped please mark it as an answer -
Hello, dear colleagues.
We are using Windows Server 2012 R2 as Remote Desktop Server. Also use Windows Server 2008 R2 with Remote Desktop Service Manager to control RDS user sessions (Send Message, Disconnect, Logoff, Query Info).
Send Message, Disconnect, Logoff options works only for users in Administrators group.
I can't to configure permissions for Remote Desktop Users, specific user or AD group.
To set permissions I'm running RDS Host Configuration on Windows Server 2008 R2 and connect to Windows Server 2012 R2. Then double-click
RDP-Tcp, Security tab, add specific user account , AD group or configure
advanced permissions
for Remote Desktop Users.
But, as I sad above, these options works only for users in Administrators group. How to make it work for Remote Desktop Users or specific user, AD group?
Thanks.
P.S. If move specific user from Remote Desktop Users group to Administrators group on
Windows Server 2012 R2 - it works.Hi,
You can prevent administrators from changing the permissions for a connection by applying the
Do not allow local administrators to customize permissions Group Policy setting.
This Group Policy setting is located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
Apart there is one command with which you can set the permission for that check the related
article. Additionally checkthis
thread for more detail.
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Prevent Load Balancing in a Remote Desktop Services Deployment
We need to prevent two Remote Desktop Session Hosts from load balancing between each other. Currently they are load balanced and users dont have a means of ensuring they end up on a particular server. Is there anyway that we can accomplish this?
CheersHi,
You can try below group policy might useful in your case.
Computer configuration>Administrative Templates>Windows Components>Remote Desktop Services>Remote Desktop Session Host>RD Connection Broker
Use RD Connection Broker Load Balancing: Disable
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Maybe you are looking for
-
9.2 / Printing to non-supported printers
Hey guys... I've started using my iBook G3 (os 9.2.2) to type papers in Appleworks 5. (Not as many distractions!) But I have encountered a problem, my printer is not supported by OS 9 and to my knowledge, no OS 9 drivers exist for it. It is a Canon P
-
IE is not showing on windows server 2008 after updates
Hi, I have installed Window server 2008 R2. After installing i found IE 8 on the server, but after 1day it automatically updated some softwares and now IE is not showing on my system. i.e IE uninstalled after the updates to the windows server. Please
-
Audio Output (quality) questions
Hi, I recieve high quality audio from a audio imaging guy which I animate short animated bits to. I seem to get differing qualities when outputting the final animation. I know there are settings for the audio when I bring it into the library and I le
-
How do i get a song to repeat on new itunes update
Since updating to the newest Itunes I have not been able to repeat songs. How do I do this through Itunes on my computer?
-
Was there an icon for clouds, if so, I threw it away. What do I do now?
Am I supposed to have icon for iclouds? If so I must of threw it away, what now?