Drive Redirection + Group Policies...

  • Thread starter dt_moore@hotmail.com
  • Start date
D

dt_moore@hotmail.com

Hi Guys,

This is probably the dumbest question anyone has ever asked...but
would appreciate it if someone could point me in the right direction.

Right now we have a Win2003 Server (domain controller) which users
connect to using Remote Desktop. I want to be able to enable drive
redirection (show local drives) for admin users and disable the drive
redirection for normal users.

I have setup two group policies, one for Admins and another linked to
a security group I defined, which all the normal users are members of.
The "Do not allow drive redirection" policy is DISABLED in the admin
policy and ENABLED in the normal users policy (so the two polices have
conflicting settings). But the result I am getting depends on the
precedence order I apply in Linked Group Policy Objects tab in the
Group Policy Management Console. The result is either everyone gets to
see the local drives or nobody does. I cannot figure out why this is
the case.

I guess I am missing something or have this completely wrong...

Thanks in advance

David
 
V

Vera Noest [MVP]

Since your question has little to do with TS in itself, you should
probably have posted it to a group policies newsgroup like
microsoft.public.windows.group_policy

That said, there's one major problem with the description of your
setup:
> I have setup two group policies, one for Admins and another
> linked to a security group I defined, which all the normal users
> are members of.

GPOs cannot be linked to security groups.
GPOs can be linked to sites, domains and OU's.
Their application can be filtered by security groups.

But in your case, filtering the GPOs by security groups wouldn't
solve your problem either, since the "Do not allow drive
redirection" setting is part of the Computer Configuration node of
the policy.

From
http://ts.veranoest.net/ts_faq_client_resources.htm#multiple_listen
ers

Q: How can I allow only a subset of my users to redirect their
local printers and drives?

A: The settings in Terminal Services Configuration or GPO to
restrict printer and drive redirection are server-wide settings.
They don't allow you to configure redirection based on user group
membership. You can, however, achieve this by creating multiple RDP
listeners and enable/disable printer and drive redirection on a per
listener basis. Since you can only have a single rdp-tcp listener
per physical network card, you must have at least two NICs in the
server for this solution.

Modify the permissions on the rdp-tcp connection so that *only* the
redirection enabled User Group and Administrators have permission
to connect via the redirection enabled listener.

The only disadvantage of this method is that each listener must use
a unique port. For example, you could have the redirection disabled
listener on port 3389 and the redirection enabled listener on port
3390.

187623 - How to Change Terminal Server's Listening Port
http://support.microsoft.com/?kbid=187623


And I assume that you know that it is *not* recommended to run
Terminal Services on a DC?

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

dt_moore@hotmail.com wrote on 20 jul 2007 in
microsoft.public.windows.terminal_services:

> Hi Guys,
>
> This is probably the dumbest question anyone has ever
> asked...but would appreciate it if someone could point me in the
> right direction.
>
> Right now we have a Win2003 Server (domain controller) which
> users connect to using Remote Desktop. I want to be able to
> enable drive redirection (show local drives) for admin users and
> disable the drive redirection for normal users.
>
> I have setup two group policies, one for Admins and another
> linked to a security group I defined, which all the normal users
> are members of. The "Do not allow drive redirection" policy is
> DISABLED in the admin policy and ENABLED in the normal users
> policy (so the two polices have conflicting settings). But the
> result I am getting depends on the precedence order I apply in
> Linked Group Policy Objects tab in the Group Policy Management
> Console. The result is either everyone gets to see the local
> drives or nobody does. I cannot figure out why this is the case.
>
> I guess I am missing something or have this completely wrong...
>
> Thanks in advance
>
> David
 
L

Lanwench [MVP - Exchange]

dt_moore@hotmail.com wrote:
> Hi Guys,
>
> This is probably the dumbest question anyone has ever asked...

Oh, I doubt that, seriously :)

> but
> would appreciate it if someone could point me in the right direction.
>
> Right now we have a Win2003 Server (domain controller) which users
> connect to using Remote Desktop. I want to be able to enable drive
> redirection (show local drives) for admin users and disable the drive
> redirection for normal users.

Normal users shouldn't be logging into a DC at all, whether at the console
or via RD.
If you have a terminal services box, it should be for TS use only - no other
roles on the network.
>
> I have setup two group policies, one for Admins and another linked to
> a security group I defined, which all the normal users are members of.
> The "Do not allow drive redirection" policy is DISABLED in the admin
> policy and ENABLED in the normal users policy (so the two polices have
> conflicting settings). But the result I am getting depends on the
> precedence order I apply in Linked Group Policy Objects tab in the
> Group Policy Management Console. The result is either everyone gets to
> see the local drives or nobody does. I cannot figure out why this is
> the case.
>
> I guess I am missing something or have this completely wrong...
>
> Thanks in advance
>
> David

As someone else suggested, try posting in m.p.windows.group_policy ....but I
suggest you heed my advice above.
 
D

dt_moore@hotmail.com

Hi Vera! Sorry, I think I might have sent you a mail instead of
posting here, apologies...

Thanks for your response, I will check out what I can do about the
setup and try to put it right.

So I guess I have another question which is definitely more on
topic...

I was wondering if could control the drive mapping using the Active
Directory Users and Computers \ UserXXX Properties - Environment Tab
to control the drive mapping...provided I enable the drive mapping and
check the Use connection settings from User settings" check box...

I am going to give it try...

Thanks

David
 
V

Vera Noest [MVP]

Depends on what you want to achieve.
If you want to disable drive redirection: yes, that's possible, but
there's no need to set it in each user account property.
If you want to enforce drive redirection: no, you can't do that.
The user can modify this in the rdp client. They will have to
confirm drive redirection as well, since they will get a warning
that it poses a security risk.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

dt_moore@hotmail.com wrote on 23 jul 2007:

> Hi Vera! Sorry, I think I might have sent you a mail instead of
> posting here, apologies...
>
> Thanks for your response, I will check out what I can do about
> the setup and try to put it right.
>
> So I guess I have another question which is definitely more on
> topic...
>
> I was wondering if could control the drive mapping using the
> Active Directory Users and Computers \ UserXXX Properties -
> Environment Tab to control the drive mapping...provided I enable
> the drive mapping and check the Use connection settings from
> User settings" check box...
>
> I am going to give it try...
>
> Thanks
>
> David
 
T

TP

Hi Vera,

You can have multiple listeners on the same card as long as they
use different ports. Terminal Services Configuration supports
editing the multiple listeners once they exist, however, it does
not support their initial creation.

Creating a new listener is simply a matter of exporting the registry
key, modifying the key name (i.e. change "RDP-Tcp" to "RDP-Admin")
and PortNumber, save, and then double-click the file to import. The
new listener is ready to receive connections immediately.

With 2008 TS Gateway you can use multiple TS CAPs to accomplish
selective restriction based on groups.

-TP

Vera Noest [MVP] wrote:
> ...snipped
> From
> http://ts.veranoest.net/ts_faq_client_resources.htm#multiple_listen
> ers
>
> Q: How can I allow only a subset of my users to redirect their
> local printers and drives?
>
> A: The settings in Terminal Services Configuration or GPO to
> restrict printer and drive redirection are server-wide settings.
> They don't allow you to configure redirection based on user group
> membership. You can, however, achieve this by creating multiple RDP
> listeners and enable/disable printer and drive redirection on a per
> listener basis. Since you can only have a single rdp-tcp listener
> per physical network card, you must have at least two NICs in the
> server for this solution.
>
> Modify the permissions on the rdp-tcp connection so that *only* the
> redirection enabled User Group and Administrators have permission
> to connect via the redirection enabled listener.
>
> The only disadvantage of this method is that each listener must use
> a unique port. For example, you could have the redirection disabled
> listener on port 3389 and the redirection enabled listener on port
> 3390.
>
> 187623 - How to Change Terminal Server's Listening Port
> http://support.microsoft.com/?kbid=187623
>
>
> And I assume that you know that it is *not* recommended to run
> Terminal Services on a DC?
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
 
V

Vera Noest [MVP]

Thanks for this info, TP! I had no idea that this was possible,
since the GUI doesn't allow you to create a second listener.
I'll give it a try and modify the info on my FAQ.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"TP" <tperson.knowspamn@mailandnews.com> wrote on 30 jul 2007 in
microsoft.public.windows.terminal_services:

> Hi Vera,
>
> You can have multiple listeners on the same card as long as they
> use different ports. Terminal Services Configuration supports
> editing the multiple listeners once they exist, however, it does
> not support their initial creation.
>
> Creating a new listener is simply a matter of exporting the
> registry key, modifying the key name (i.e. change "RDP-Tcp" to
> "RDP-Admin") and PortNumber, save, and then double-click the
> file to import. The new listener is ready to receive
> connections immediately.
>
> With 2008 TS Gateway you can use multiple TS CAPs to accomplish
> selective restriction based on groups.
>
> -TP
>
> Vera Noest [MVP] wrote:
>> ...snipped
>> From
>> http://ts.veranoest.net/ts_faq_client_resources.htm#multiple_lis
>> ten ers
>>
>> Q: How can I allow only a subset of my users to redirect their
>> local printers and drives?
>>
>> A: The settings in Terminal Services Configuration or GPO to
>> restrict printer and drive redirection are server-wide
>> settings. They don't allow you to configure redirection based
>> on user group membership. You can, however, achieve this by
>> creating multiple RDP listeners and enable/disable printer and
>> drive redirection on a per listener basis. Since you can only
>> have a single rdp-tcp listener per physical network card, you
>> must have at least two NICs in the server for this solution.
>>
>> Modify the permissions on the rdp-tcp connection so that *only*
>> the redirection enabled User Group and Administrators have
>> permission to connect via the redirection enabled listener.
>>
>> The only disadvantage of this method is that each listener must
>> use a unique port. For example, you could have the redirection
>> disabled listener on port 3389 and the redirection enabled
>> listener on port 3390.
>>
>> 187623 - How to Change Terminal Server's Listening Port
>> http://support.microsoft.com/?kbid=187623
 
T

TP

You are welcome.

I spend hundreds of hours trying to come up with tips that
will be good enough to make it on your FAQ so it is nice
when it happens. Now I have to get back to work if I want
to find another one before the year is over...no time for
eating and sleeping. :)

-TP

Vera Noest [MVP] wrote:
> Thanks for this info, TP! I had no idea that this was possible,
> since the GUI doesn't allow you to create a second listener.
> I'll give it a try and modify the info on my FAQ.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
 
V

Vera Noest [MVP]

This one has definitively made it!
Take care,
Vera
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"TP" <tperson.knowspamn@mailandnews.com> wrote on 31 jul 2007 in
microsoft.public.windows.terminal_services:

> You are welcome.
>
> I spend hundreds of hours trying to come up with tips that
> will be good enough to make it on your FAQ so it is nice
> when it happens. Now I have to get back to work if I want
> to find another one before the year is over...no time for
> eating and sleeping. :)
>
> -TP
>
> Vera Noest [MVP] wrote:
>> Thanks for this info, TP! I had no idea that this was possible,
>> since the GUI doesn't allow you to create a second listener.
>> I'll give it a try and modify the info on my FAQ.
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
 
You must log in or register to reply here.

Similar threads

P
Query on Group Policy behaviour - multile GPOs that rename local Administrator account
Replies
0
Views
20
pb3000
P
J
Group Policy Object Question
Replies
0
Views
41
Jason-999
J
C
Preventing Excel macro spreadsheets from being blocked that are located on a domain-based file server connecting via a namespace mapped drive
Replies
0
Views
30
CROSS_5430
C
I
Not able to modify Local Group Policy with powershell commands
Replies
0
Views
45
Iman_Y
I
I
Not able to modify Local Group Policy with powershell commands
Replies
0
Views
28
Iman_Y
I
Back
Top Bottom