Jump to content

Drive Redirection + Group Policies...

Guest dt_moore@hotmail.com

By Guest dt_moore@hotmail.com
in Windows NT Server

 Share

Recommended Posts

Guest dt_moore@hotmail.com

Guest dt_moore@hotmail.com

Posted
Posted

Hi Guys,

 

This is probably the dumbest question anyone has ever asked...but

would appreciate it if someone could point me in the right direction.

 

Right now we have a Win2003 Server (domain controller) which users

connect to using Remote Desktop. I want to be able to enable drive

redirection (show local drives) for admin users and disable the drive

redirection for normal users.

 

I have setup two group policies, one for Admins and another linked to

a security group I defined, which all the normal users are members of.

The "Do not allow drive redirection" policy is DISABLED in the admin

policy and ENABLED in the normal users policy (so the two polices have

conflicting settings). But the result I am getting depends on the

precedence order I apply in Linked Group Policy Objects tab in the

Group Policy Management Console. The result is either everyone gets to

see the local drives or nobody does. I cannot figure out why this is

the case.

 

I guess I am missing something or have this completely wrong...

 

Thanks in advance

 

David

  • Replies 8
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Drive Redirection + Group Policies...

 

Since your question has little to do with TS in itself, you should

probably have posted it to a group policies newsgroup like

microsoft.public.windows.group_policy

 

That said, there's one major problem with the description of your

setup:

> I have setup two group policies, one for Admins and another

> linked to a security group I defined, which all the normal users

> are members of.

 

GPOs cannot be linked to security groups.

GPOs can be linked to sites, domains and OU's.

Their application can be filtered by security groups.

 

But in your case, filtering the GPOs by security groups wouldn't

solve your problem either, since the "Do not allow drive

redirection" setting is part of the Computer Configuration node of

the policy.

 

From

http://ts.veranoest.net/ts_faq_client_resources.htm#multiple_listen

ers

 

Q: How can I allow only a subset of my users to redirect their

local printers and drives?

 

A: The settings in Terminal Services Configuration or GPO to

restrict printer and drive redirection are server-wide settings.

They don't allow you to configure redirection based on user group

membership. You can, however, achieve this by creating multiple RDP

listeners and enable/disable printer and drive redirection on a per

listener basis. Since you can only have a single rdp-tcp listener

per physical network card, you must have at least two NICs in the

server for this solution.

 

Modify the permissions on the rdp-tcp connection so that *only* the

redirection enabled User Group and Administrators have permission

to connect via the redirection enabled listener.

 

The only disadvantage of this method is that each listener must use

a unique port. For example, you could have the redirection disabled

listener on port 3389 and the redirection enabled listener on port

3390.

 

187623 - How to Change Terminal Server's Listening Port

http://support.microsoft.com/?kbid=187623

 

 

And I assume that you know that it is *not* recommended to run

Terminal Services on a DC?

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

dt_moore@hotmail.com wrote on 20 jul 2007 in

microsoft.public.windows.terminal_services:

> Hi Guys,

>

> This is probably the dumbest question anyone has ever

> asked...but would appreciate it if someone could point me in the

> right direction.

>

> Right now we have a Win2003 Server (domain controller) which

> users connect to using Remote Desktop. I want to be able to

> enable drive redirection (show local drives) for admin users and

> disable the drive redirection for normal users.

>

> I have setup two group policies, one for Admins and another

> linked to a security group I defined, which all the normal users

> are members of. The "Do not allow drive redirection" policy is

> DISABLED in the admin policy and ENABLED in the normal users

> policy (so the two polices have conflicting settings). But the

> result I am getting depends on the precedence order I apply in

> Linked Group Policy Objects tab in the Group Policy Management

> Console. The result is either everyone gets to see the local

> drives or nobody does. I cannot figure out why this is the case.

>

> I guess I am missing something or have this completely wrong...

>

> Thanks in advance

>

> David

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: Drive Redirection + Group Policies...

 

dt_moore@hotmail.com wrote:

> Hi Guys,

>

> This is probably the dumbest question anyone has ever asked...

 

Oh, I doubt that, seriously :)

> but

> would appreciate it if someone could point me in the right direction.

>

> Right now we have a Win2003 Server (domain controller) which users

> connect to using Remote Desktop. I want to be able to enable drive

> redirection (show local drives) for admin users and disable the drive

> redirection for normal users.

 

Normal users shouldn't be logging into a DC at all, whether at the console

or via RD.

If you have a terminal services box, it should be for TS use only - no other

roles on the network.

>

> I have setup two group policies, one for Admins and another linked to

> a security group I defined, which all the normal users are members of.

> The "Do not allow drive redirection" policy is DISABLED in the admin

> policy and ENABLED in the normal users policy (so the two polices have

> conflicting settings). But the result I am getting depends on the

> precedence order I apply in Linked Group Policy Objects tab in the

> Group Policy Management Console. The result is either everyone gets to

> see the local drives or nobody does. I cannot figure out why this is

> the case.

>

> I guess I am missing something or have this completely wrong...

>

> Thanks in advance

>

> David

 

As someone else suggested, try posting in m.p.windows.group_policy ....but I

suggest you heed my advice above.

Guest dt_moore@hotmail.com

Guest dt_moore@hotmail.com

Posted
Posted

Re: Drive Redirection + Group Policies...

 

Hi Vera! Sorry, I think I might have sent you a mail instead of

posting here, apologies...

 

Thanks for your response, I will check out what I can do about the

setup and try to put it right.

 

So I guess I have another question which is definitely more on

topic...

 

I was wondering if could control the drive mapping using the Active

Directory Users and Computers \ UserXXX Properties - Environment Tab

to control the drive mapping...provided I enable the drive mapping and

check the Use connection settings from User settings" check box...

 

I am going to give it try...

 

Thanks

 

David

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Drive Redirection + Group Policies...

 

Depends on what you want to achieve.

If you want to disable drive redirection: yes, that's possible, but

there's no need to set it in each user account property.

If you want to enforce drive redirection: no, you can't do that.

The user can modify this in the rdp client. They will have to

confirm drive redirection as well, since they will get a warning

that it poses a security risk.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

 

dt_moore@hotmail.com wrote on 23 jul 2007:

> Hi Vera! Sorry, I think I might have sent you a mail instead of

> posting here, apologies...

>

> Thanks for your response, I will check out what I can do about

> the setup and try to put it right.

>

> So I guess I have another question which is definitely more on

> topic...

>

> I was wondering if could control the drive mapping using the

> Active Directory Users and Computers \ UserXXX Properties -

> Environment Tab to control the drive mapping...provided I enable

> the drive mapping and check the Use connection settings from

> User settings" check box...

>

> I am going to give it try...

>

> Thanks

>

> David

Guest TP

Guest TP

Posted
Posted

Re: Drive Redirection + Group Policies...

 

Hi Vera,

 

You can have multiple listeners on the same card as long as they

use different ports. Terminal Services Configuration supports

editing the multiple listeners once they exist, however, it does

not support their initial creation.

 

Creating a new listener is simply a matter of exporting the registry

key, modifying the key name (i.e. change "RDP-Tcp" to "RDP-Admin")

and PortNumber, save, and then double-click the file to import. The

new listener is ready to receive connections immediately.

 

With 2008 TS Gateway you can use multiple TS CAPs to accomplish

selective restriction based on groups.

 

-TP

 

Vera Noest [MVP] wrote:

> ...snipped

> From

> http://ts.veranoest.net/ts_faq_client_resources.htm#multiple_listen

> ers

>

> Q: How can I allow only a subset of my users to redirect their

> local printers and drives?

>

> A: The settings in Terminal Services Configuration or GPO to

> restrict printer and drive redirection are server-wide settings.

> They don't allow you to configure redirection based on user group

> membership. You can, however, achieve this by creating multiple RDP

> listeners and enable/disable printer and drive redirection on a per

> listener basis. Since you can only have a single rdp-tcp listener

> per physical network card, you must have at least two NICs in the

> server for this solution.

>

> Modify the permissions on the rdp-tcp connection so that *only* the

> redirection enabled User Group and Administrators have permission

> to connect via the redirection enabled listener.

>

> The only disadvantage of this method is that each listener must use

> a unique port. For example, you could have the redirection disabled

> listener on port 3389 and the redirection enabled listener on port

> 3390.

>

> 187623 - How to Change Terminal Server's Listening Port

> http://support.microsoft.com/?kbid=187623

>

>

> And I assume that you know that it is *not* recommended to run

> Terminal Services on a DC?

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Drive Redirection + Group Policies...

 

Thanks for this info, TP! I had no idea that this was possible,

since the GUI doesn't allow you to create a second listener.

I'll give it a try and modify the info on my FAQ.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"TP" <tperson.knowspamn@mailandnews.com> wrote on 30 jul 2007 in

microsoft.public.windows.terminal_services:

> Hi Vera,

>

> You can have multiple listeners on the same card as long as they

> use different ports. Terminal Services Configuration supports

> editing the multiple listeners once they exist, however, it does

> not support their initial creation.

>

> Creating a new listener is simply a matter of exporting the

> registry key, modifying the key name (i.e. change "RDP-Tcp" to

> "RDP-Admin") and PortNumber, save, and then double-click the

> file to import. The new listener is ready to receive

> connections immediately.

>

> With 2008 TS Gateway you can use multiple TS CAPs to accomplish

> selective restriction based on groups.

>

> -TP

>

> Vera Noest [MVP] wrote:

>> ...snipped

>> From

>> http://ts.veranoest.net/ts_faq_client_resources.htm#multiple_lis

>> ten ers

>>

>> Q: How can I allow only a subset of my users to redirect their

>> local printers and drives?

>>

>> A: The settings in Terminal Services Configuration or GPO to

>> restrict printer and drive redirection are server-wide

>> settings. They don't allow you to configure redirection based

>> on user group membership. You can, however, achieve this by

>> creating multiple RDP listeners and enable/disable printer and

>> drive redirection on a per listener basis. Since you can only

>> have a single rdp-tcp listener per physical network card, you

>> must have at least two NICs in the server for this solution.

>>

>> Modify the permissions on the rdp-tcp connection so that *only*

>> the redirection enabled User Group and Administrators have

>> permission to connect via the redirection enabled listener.

>>

>> The only disadvantage of this method is that each listener must

>> use a unique port. For example, you could have the redirection

>> disabled listener on port 3389 and the redirection enabled

>> listener on port 3390.

>>

>> 187623 - How to Change Terminal Server's Listening Port

>> http://support.microsoft.com/?kbid=187623

Guest TP

Guest TP

Posted
Posted

Re: Drive Redirection + Group Policies...

 

You are welcome.

 

I spend hundreds of hours trying to come up with tips that

will be good enough to make it on your FAQ so it is nice

when it happens. Now I have to get back to work if I want

to find another one before the year is over...no time for

eating and sleeping. :)

 

-TP

 

Vera Noest [MVP] wrote:

> Thanks for this info, TP! I had no idea that this was possible,

> since the GUI doesn't allow you to create a second listener.

> I'll give it a try and modify the info on my FAQ.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Drive Redirection + Group Policies...

 

This one has definitively made it!

Take care,

Vera

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"TP" <tperson.knowspamn@mailandnews.com> wrote on 31 jul 2007 in

microsoft.public.windows.terminal_services:

> You are welcome.

>

> I spend hundreds of hours trying to come up with tips that

> will be good enough to make it on your FAQ so it is nice

> when it happens. Now I have to get back to work if I want

> to find another one before the year is over...no time for

> eating and sleeping. :)

>

> -TP

>

> Vera Noest [MVP] wrote:

>> Thanks for this info, TP! I had no idea that this was possible,

>> since the GUI doesn't allow you to create a second listener.

>> I'll give it a try and modify the info on my FAQ.

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

 Share
Go to topic listing
×
×
  • Create New...