I am new to setting up group policies and have been searching through the internet, and TechNet, in trying to resolve a mystery that I observe on my test setup. I hope that someone had actually encountered the same problem that I am encountering and help me solve this mystery.
To put it simply, I am trying to set up a Remote Desktop Server for remote users and that I want to limit their ability to see the resources on the RD server. Sounds simple, right?
Here is my test setup:
1. One domain controller (DC) running Windows Server 2008 R2 as a virtual machine under Hyper-V manager. The host OS is also Windows Server 2008 R2.
2. One Windows Server 2008 R2 Standard (RDSvr), as a virtual machine, with the following features installed: Remote Desktop Services Tools, Remote Desktop Session Host Tools, and Remote Desktop Licensing Tools. Ok, I don't have any CALs for this but this is only a test set up and I am good for 90 days before the RD server refuses my connections.
3. On the DC, I created an OU (RD Servers) and put RDSvr into that OU.
4. Inside the RD Servers OU, I created a group (RDUsers) and created users (RDUser1 and RDUser2) in that group.
5. I fired up GPMC on the DC and created a GPO under the RD Servers OU. I only have one GPO for this OU.
6. To shorten my verbage, I will just say that I was successful in enabling remote desktop access for the RDUsers group. So the GPO was functioning.
7. The first thing I tried was to hide ALL the drives for this RDUsers group by using the "Hide these specified drives in My Computer" and selected the "Restrict all drives" setting.
8. Just to be safe, I rebooted the RDSvr to ensure that the global policies would propagate. I logged on as RDUser1 (also tried RDUser2) but the drives were visible. I used regedit to check the registry setting of NoDrives ([HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]) and the value was set to 67108863 (0X3FFFFFF).
9. I tried and tried and tried to fix this problem by searching through the internet but could not do it. I also turned on loop back processing and that did not solve the problem.
10. So I gave up on this and went ahead to implement other global policies just to make certain the GPs were processed. All my other GPs were fine, such as "Prevent access to drives from My Computer", "Prohibit access to the Control Panel", "Turn off Windows+X hotkeys", etc. I even got rid of Administrative Tools on Start Menu by setting the registry values of Start_AdminToolsRoot and StartMenuAdminTools to 0 (zero) via Preferences in my GPO.
11. For your information, my test remote computer was not part of this test domain and was running Vista X64.
12. I also tried connect to RDSvr via Hyper-V manager (so not via remote desktop) and the result was the same.
So the mystery is why was that particular policy, "Hide these specified drives in My Computer", not working even though the registry value of NoDrives was changed to the correct value? The GPO was obviously processed since all the other policies worked (I also checked their corresponding registry values to be correct) and NoDrives was set to the correct value.
If someone can shed some light on this, I will greatly appreciate it.
Thanks,
Henry Kwan
To put it simply, I am trying to set up a Remote Desktop Server for remote users and that I want to limit their ability to see the resources on the RD server. Sounds simple, right?
Here is my test setup:
1. One domain controller (DC) running Windows Server 2008 R2 as a virtual machine under Hyper-V manager. The host OS is also Windows Server 2008 R2.
2. One Windows Server 2008 R2 Standard (RDSvr), as a virtual machine, with the following features installed: Remote Desktop Services Tools, Remote Desktop Session Host Tools, and Remote Desktop Licensing Tools. Ok, I don't have any CALs for this but this is only a test set up and I am good for 90 days before the RD server refuses my connections.
3. On the DC, I created an OU (RD Servers) and put RDSvr into that OU.
4. Inside the RD Servers OU, I created a group (RDUsers) and created users (RDUser1 and RDUser2) in that group.
5. I fired up GPMC on the DC and created a GPO under the RD Servers OU. I only have one GPO for this OU.
6. To shorten my verbage, I will just say that I was successful in enabling remote desktop access for the RDUsers group. So the GPO was functioning.
7. The first thing I tried was to hide ALL the drives for this RDUsers group by using the "Hide these specified drives in My Computer" and selected the "Restrict all drives" setting.
8. Just to be safe, I rebooted the RDSvr to ensure that the global policies would propagate. I logged on as RDUser1 (also tried RDUser2) but the drives were visible. I used regedit to check the registry setting of NoDrives ([HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]) and the value was set to 67108863 (0X3FFFFFF).
9. I tried and tried and tried to fix this problem by searching through the internet but could not do it. I also turned on loop back processing and that did not solve the problem.
10. So I gave up on this and went ahead to implement other global policies just to make certain the GPs were processed. All my other GPs were fine, such as "Prevent access to drives from My Computer", "Prohibit access to the Control Panel", "Turn off Windows+X hotkeys", etc. I even got rid of Administrative Tools on Start Menu by setting the registry values of Start_AdminToolsRoot and StartMenuAdminTools to 0 (zero) via Preferences in my GPO.
11. For your information, my test remote computer was not part of this test domain and was running Vista X64.
12. I also tried connect to RDSvr via Hyper-V manager (so not via remote desktop) and the result was the same.
So the mystery is why was that particular policy, "Hide these specified drives in My Computer", not working even though the registry value of NoDrives was changed to the correct value? The GPO was obviously processed since all the other policies worked (I also checked their corresponding registry values to be correct) and NoDrives was set to the correct value.
If someone can shed some light on this, I will greatly appreciate it.
Thanks,
Henry Kwan