restricting webapps and rd on R2

Hi,

I'm just getting started with R2 and reading through the documentation I'm
trying to learn if the following is possible.

I have three groups:

fullremotedesktop - members of this group can use remote desktop in the
traditional way to get complete access to the server using mstsc, just like
if I used remote desktop do access an XP computer

fullwebapps - members of this group can only run programs through the webapp
interface. The can't remote into the server in the old, traditional way.
The webapps get full access to local resources, like printer, clipboard,
drives, etc.

restrictedwebapps - members of this group can only run webapps and the only
local resource they can have access to is the local printer or printers
installed on the remote desktop services server.

The reason for this division is that only admins should be able to get into
the server, permanent staff get the web apps and local resources, temporary
staff get webapps, but can't store a file locally or copy to the clipboard.

Is this possible? If not, can I at least have two groups: full
remotedesktop users and webapp only users? If I use the log on locally
permission, will that stop people from using webapps as well since
techincally they are logging on locally? I'd test it, but if I lock myself
out I don't want to have to drive back into work on a Saturday.

Thanks!

 

Short answer for the full desktop versus webapp issue: not possible
More details:

How can I prevent my users from connecting to the full desktop of
the server while deploying my applications through RemoteApp?

p

Short answer for the selective local resource redirection:
possible, with multiple TS CAPs on your TS Gateway

More details:

How can I allow only a subset of my users to redirect their local
printers and drives?

ers

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Services
RDS troubleshooting:

=?Utf-8?B?Qm9i?= <Bob@discussions.microsoft.com> wrote on 26 sep
2009 in microsoft.public.windows.terminal_services:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi,
>
> I'm just getting started with R2 and reading through the
> documentation I'm trying to learn if the following is possible.
>
> I have three groups:
>
> fullremotedesktop - members of this group can use remote desktop
> in the traditional way to get complete access to the server
> using mstsc, just like if I used remote desktop do access an XP
> computer
>
> fullwebapps - members of this group can only run programs
> through the webapp interface. The can't remote into the server
> in the old, traditional way. The webapps get full access to
> local resources, like printer, clipboard, drives, etc.
>
> restrictedwebapps - members of this group can only run webapps
> and the only local resource they can have access to is the local
> printer or printers installed on the remote desktop services
> server.
>
> The reason for this division is that only admins should be able
> to get into the server, permanent staff get the web apps and
> local resources, temporary staff get webapps, but can't store a
> file locally or copy to the clipboard.
>
> Is this possible? If not, can I at least have two groups: full
> remotedesktop users and webapp only users? If I use the log on
> locally permission, will that stop people from using webapps as
> well since techincally they are logging on locally? I'd test
> it, but if I lock myself out I don't want to have to drive back
> into work on a Saturday.
>
> Thanks!<!--colorc--><!--/colorc-->

 

Darn. That's what I was afraid of. And firewalling the port won't work
either, because it is still used in webapps.

Thanks!

"Vera Noest [MVP]" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Short answer for the full desktop versus webapp issue: not possible
> More details:
>
> How can I prevent my users from connecting to the full desktop of
> the server while deploying my applications through RemoteApp?
>
> p
> <!--colorc--><!--/colorc-->