If you are working with Remote Desktop Services, and especially with Remote Desktop Web Access, you might know by now that every domain user can log in to that interface, even if that user has no application published. Most of the administrators don’t even care about this, because if the user can’t see an application on that web page, he will close it eventually. But if that user is persistent, you will be sitting in the witness chair. Why can’t I see anything on that page ? Why I don’t have applications like my college ? And the list can go on. If you want to restrict access to users that don’t have applications published on RD Web Access, there is trick.
As you can see bellow my user account is logged in to RD Web Access even if no applications are published.
To restrict this, first we need to create a security group in AD. You know that I don’t like to put users in ACL’s directly, I like to work with groups. Go ahead and create a security group then put those user accounts that you don’t want to be able to log in to the web page in that group.
Now log into your RD Web Access server and browse to C:\Windows\Web. Right-click the RDWeb folder and choose Properties.
Go to the Security tab and click Edit then Add.
Type the security group name that you just created in AD and hit OK.
Back in the Permissions window, make sure the group is selected, then in the Permissions section (bellow) click the Read & Execute box under the Deny column. Click OK to close all the windows. Choose Yes on the warning messages.
Now, if a user that is part of that security group tries to log in, it will get a deny message. In the future, when you want to restrict someone to log in to RD Web Access just add the account to that security group.
Simple and effective. Hope this helps some of you.
Want content like this delivered right to your