Hi Patrick,
Unfortunately no, this doesn't answer my question. The Terminal Server
shouldn't be responsible for reading the client's group policy settings, that
should be handled by the remote desktop software running on the client .
Since the client software is hosting the endpoint for the drive redirection I
would have expected that it would control which drives get mapped.
Purchasing an additional software package (and per user licenses) isn't an
option given the existing costs of Terminal Services. I will have to continue
searching for (or creating) a fix.
Thanks for your suggestions anyways, I'm a little disappointed that this
was overlooked by MS, but maybe the next version fixes it.
Dave
"Patrick Rouse" wrote:
> This is because the Terminal Server doesn't read the local computer's
> security policy, or any applied to it by domain membership. If you want more
> granular control over things like this you can look at products like Citrix
> MetaFrame which will let you control this by policy.
>
> Does this answer your question?
>
> "Wingman_X" wrote:
>
> > Hi Patrick,
> >
> > Thanks for the suggestion. I know I can prevent the user from using drive
> > redirection, but it's a all-or-none solution. What I really want to know is
> > why the remote desktop client on the client side is bypassing his domain's
> > Group Policy settings, and/or whether or not I can specify which drives get
> > mapped by default through drive redirection.
> >
> > Dave
> >
> > "Patrick Rouse" wrote:
> >
> > > You should enforce this setting on the OU the terminal server is in, because
> > > you have no control of any remote policy settings. The Group Policy applied
> > > to the Terminal Server and users logging onto it does not interact with the
> > > remote computer or Group Policy in any way.
> > >
> > > You can restrict this at the user, server or Group Policy Level, but it must
> > > be done in the organization where the TS is.
> > >
> > > Patrick Rouse
> > > Microsoft MVP - Terminal Server
> > > http://www.workthin.com
> > >
> > > "Wingman_X" wrote:
> > >
> > > > I have a rather interesting issue regarding the Drive Redirection feature and
> > > > Group Policy...
> > > >
> > > > Here's the setup:
> > > >
> > > > Client on PC at Company A connects to 2003 Terminal Server at company B
> > > >
> > > > Company A has drive Group Policy enforcing "hide these drives..." as well as
> > > > "prevent access to these drives.." set for C (blocks the user from accessing
> > > > the C drive on his local PC).
> > > >
> > > > If the client turns on Drive Redirection, he has full access to "C on
> > > > (clientPC)" when he logs into the 2003 Terminal Server at Company B.
> > > >
> > > > I've tried manually removing the C mapping through a script, but the drive
> > > > redirection feature keeps remapping this drive whenever the user tries to
> > > > access it. It appears that the Remote Desktop client is ignoring the client
> > > > PC's Group Policy settings and is mapping the drive anyways. The client has
> > > > full access to his C drive through Terminal Services drive redirection.
> > > >
> > > > Has anyone else had to deal with this sort of issue? It's a pretty big
> > > > security hole since if it's ignoring Group Policy.
> > > >
> > > > The only theory I have is that MS has enforce this restricted access
> > > > through Explorer.exe (much like their 'prevent program execution' setting)
> > > > instead of deeper in the OS. If this is the case then Remote Desktop may be
> > > > bypassing it which makes me wonder what else it could get past...
> > > >
> > > > Any suggestions are welcome.
Similar Threads
