[gptalk] Re: Terminal Service drive redirection

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 27 Sep 2007 11:57:05 -0700

Mika,

 

I am not sure if this can be done either but I do have a viable option
for you:

 

If you can allocate another network card on the terminal server with a
separate IP address- you can create an additional RDP
listener/connection and just configure the settings manually on each RDP
connection to restrict or allow the drive mapping function, configure
each connection to listen only on 1 particular NIC. Also, on the new RDP
connection- edit the permission to drop the remote desktop users group
from that connections permissions. And drop the terminal server
configuration from the GPO and just do manual configuration.

 

Furthermore- drive mapping will only work if the end user has Local
Administrator on the workstation they are using to connect to the
terminal server from- so if you restrict that you would be in business-
but in many workstation deployments end users do have this right.

 

If that does not make sense- ping me offline in email and I can add some
screen shots- since this is out of the GPO realm

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, September 27, 2007 10:53 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Terminal Service drive redirection

 

Mika-

I don't have any good ideas here since I haven't worked with this
setting specifically. One thing to try. I've noticed while playing
around with my Group Policy Spy tool is that there are some policy
settings that Microsoft has not captured in ADM (or ADMX). In other
words, some Windows components implement policy settings that are not
all represented in templates. That also goes for cases where sometimes a
per-computer policy is also per-user but not represented in the ADM.
That being said, it may be worth trying to set that policy per-user
(e.g. through the registry directly) to see if the user respects it. If
not, then perhaps others have a good idea. 

 

Darren

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mika Seitsonen
Sent: Thursday, September 27, 2007 8:51 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Terminal Service drive redirection

 

Hi,

 

A company has a need for a solution that meets the following
requirements:

1.       User cannot use terminal service drive redirection to copy
files into his/her computer from the computer into which the user opens
a Remote Desktop Connection

2.       A member of a certain group (e.g. administrators) can use
terminal service drive redirection to copy files into his/her computer
from the computer into which the user opens a Remote Desktop Connection

This setting is available in the Group Policy on Computer
Configuration\Administrative Templates\Windows Components\Terminal
Services\Terminal Server\Device and Resource Redirection\Do not allow
drive redirection. Since it is on the computer side, it is not possible
to target a user or a user group. Does anybody have an idea how to
implement this in order to meet the requirements? Kind of "user loopback
processing reversed" i.e. computer setting based on the user location.

 

Thanks and regards,

Mika

Other related posts: