Drive Redirection and Group Policy on the Client PC

[Guest]

I have a rather interesting issue regarding the Drive Redirection feature and
Group Policy...

Here's the setup:

Client on PC at Company A connects to 2003 Terminal Server at company B

Company A has drive Group Policy enforcing "hide these drives..." as well as
"prevent access to these drives.." set for C (blocks the user from accessing
the C drive on his local PC).

If the client turns on Drive Redirection, he has full access to "C on
(clientPC)" when he logs into the 2003 Terminal Server at Company B.

I've tried manually removing the C mapping through a script, but the drive
redirection feature keeps remapping this drive whenever the user tries to
access it. It appears that the Remote Desktop client is ignoring the client
PC's Group Policy settings and is mapping the drive anyways. The client has
full access to his C drive through Terminal Services drive redirection.

Has anyone else had to deal with this sort of issue? It's a pretty big
security hole since if it's ignoring Group Policy.

The only theory I have is that MS has enforce this restricted access
through Explorer.exe (much like their 'prevent program execution' setting)
instead of deeper in the OS. If this is the case then Remote Desktop may be
bypassing it which makes me wonder what else it could get past...

Any suggestions are welcome.

 

[Guest]

You should enforce this setting on the OU the terminal server is in, because
you have no control of any remote policy settings. The Group Policy applied
to the Terminal Server and users logging onto it does not interact with the
remote computer or Group Policy in any way.

You can restrict this at the user, server or Group Policy Level, but it must
be done in the organization where the TS is.

Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com

 

[Guest]

Hi Patrick,

Thanks for the suggestion. I know I can prevent the user from using drive
redirection, but it's a all-or-none solution. What I really want to know is
why the remote desktop client on the client side is bypassing his domain's
Group Policy settings, and/or whether or not I can specify which drives get
mapped by default through drive redirection.

Dave

 

[Guest]

This is because the Terminal Server doesn't read the local computer's
security policy, or any applied to it by domain membership. If you want more
granular control over things like this you can look at products like Citrix
MetaFrame which will let you control this by policy.

Does this answer your question?

 

[Guest]

Hi Patrick,

Unfortunately no, this doesn't answer my question. The Terminal Server
shouldn't be responsible for reading the client's group policy settings, that
should be handled by the remote desktop software running on the client .
Since the client software is hosting the endpoint for the drive redirection I
would have expected that it would control which drives get mapped.

Purchasing an additional software package (and per user licenses) isn't an
option given the existing costs of Terminal Services. I will have to continue
searching for (or creating) a fix.

Thanks for your suggestions anyways, I'm a little disappointed that this
was overlooked by MS, but maybe the next version fixes it.

Dave

 

[Guest]

You may request this feature here:

https://www.windowsserverfeedback.com/