Rating:  Votes: 0 rating(s) Score: 0/0 |
Hey all,
I have a environment that contains Windows Server 2008 terminal servers and on top Res Powerfuse2008 SR2. Now I managed with the combination of gpo's and Res powerfuse settings to hide / disable most of the goodies users really don't need nor want. Accept with one item. If a user opens the windows explorer then you get that need option to browse your network. If you open this icon emediatly search active directory, add printer buttons apear. In other words a very unwanted situation. I have a ticked open at Res Powerfuse, they can create the same situation but are also unable to remove the network feature. All network policies are in place like no computers near me etc.
can someone point me in the right direction here?
Hans Straat , The Netherlands
CEO www.datacrash.net
|
|
|
Rating: Votes: 0 rating(s) Score: 0/0 |
Hi Hans,
I am assuming your are publishing dektops. If it were me, I would not provide access to Windows Explorer, My Network Places, the "Run" line, or the "Run As" feature at all. Hide the Local Drives, and turn off the Right-Click feature as well.
Group Policy will handle most of these, I took a look at RES Powerfuse and I can see that it's another Profile Management tool with AD integration to include GP assignment. If it can't be done in regular GP, than most likely your tool won't be able to do it either.
Bottom line? Give the user just what they need. Map only department shares and printers they need (by Group Membership, Clientname, or IP), redirect their My Documents folder and train users to save their docs there. By providing Windows Explorer, My Network Places, and Right-Click, you provide access to a lot of "back-doors" the user community will find, and create headaches for you to resolve.
I don't know RES Powerfuse but here's a good article on locking-down your environment.
http://support.microsoft.com/kb/278295/en-us
Best regards,
Samuel A. Rodriguez
Sr. Systems Administrator
|
|
|
Rating: Votes: 0 rating(s) Score: 0/0 |
True, If I had it for saying i would lock down the environment totally like i have done with the 2003 terminal servers for this company. But they need explorer for some strange reasen and I can't get rid of the network icon no matter what policies i set with or without powerfuse. Powerfuse also has the ability to simply import the policy and set it with powershell.exe which replaces the windows shell totally. But Res Powerfuse isn't ready for the Windows Server 2008 yet. bottem line we are rolling back to windows server 2003 which is proven technologie and will build a testenvironment with 2008 again. We are also strugling with sun ray thinclients on the 2008 environment.
Hans Straat , The Netherlands
CEO www.datacrash.net
|
|
|
Rating: Votes: 0 rating(s) Score: 0/0 |
You might want to give Thin Desktop from ThinLaunch software a look
www.thinlaunch.com
It's a lot easier than GP or reg hack
If your TCs are XP embedded, it can lock those down as well and should have no issues with 08
|
|
|
Rating: Votes: 0 rating(s) Score: 0/0 |
Hans,
Do you have the following policy items enabled?
[User Configuration\Administrative Templates\Windows Components\Windows Explorer]
Remove Map Network Drive and Disconnect Network Drive
Remove Search button from Windows Explorer
Disable Windows Explorer's default context menu
Hides the Manage item on the Windows Explorer context menu
Hide these specified drives in My Computer (Enable this setting for A through D.)
Prevent access to drives from My Computer (Enable this setting for A through D.)
In addition to the above policy (one of several) TS users got mandatory profiles that were pretty much gutted. Start Menu and Desktop items/shortcuts were copied over when they logged-on. I didn't provide Windows Explorer, but created a [lengthy] script to map network drives based on group membership (or by username, or clientname if I warranted). I used kixtart2001, but any batch, VBS, or Powershell will do. In my environment, users could roam all over the facility and logon to whatever thin client. Luckily, we used a naming convention that would indicate what building, area, and floor they were on (a good practice). So in the case of printer mappings, I could grab the clientname, parse the info I needed with Rtrim and map just three printers nearest them during the logon process.
You might think that 130-160 lines of code would create some overhead, but processors these days will rip right through that. The overhead is in the mapping/connecting to network resources - which you want to keep minimal.
This may not be the answer you're looking for, but sometimes a user requirement that doesn't pass muster, can be provided in the spirit of the business objective - by thinking outside the box, getting IT management behind you, and of course, a little bit of work.
Samuel A. Rodriguez
Sr. Systems Administrator
|
|
|
Rating: Votes: 0 rating(s) Score: 0/0 |
Because of several issues with the terminal server 2008 environment with powerfuse 2008 over it we decided to roll it all back to windows server 2003. The other problem was that we could not do remote control on Sunray thinclients they simply would disconnect. Sunray tc's do not yet support windows 2008 server environments yet. So now with the windows 2003 environment i have a totally locked up environment again :)
Res Powerfuse also admitted they are not ready yet for Windows server 2008. They are currently working hard to get it improved but some stuf you could configure with a few mouseclicks in server 2003 simply won't work in 2008.
thanks for the help folks really appriciate it.
Hans Straat , The Netherlands
CEO www.datacrash.net
|
|
|
Rating: Votes: 0 rating(s) Score: 0/0 |
In terms of the GPO's available to "lock-down" Windows Explorer, I don't recall them being different in 2K8 than in 2K3. You would still have the same issue - unless you're saying that in 2K8 they aren't applying correctly (because you're using Powerfuse)?
Each succession of Windows Server gets a higher security posture set by default (IE as well), which tends to break a lot of things. (I performed a W2K to W2K3 farm migration, so I know your pain) I would build-out a 2K8 server, add to production farm as test (publish desktops or apps to a test group), and start your proof-of-concept by installing apps and putting a couple/half dozen pilot users on it. Keep track of every setting, rollback, and reghack used to fix issues. When you get it right, add twice the user test group count & try and stress it. When satisfied, remove from farm, clean it up (profiles etc.) run sysprep on it (uninstall Citrix if installed), and create a base image of it. Or, if you prefer, perform a bare metal build incorporating all the apps, hotfixes, reghacks etc.
And build your image from that. It's cleaner, but adds a bit of work.
Good luck,
Now is the time to start the testing as Server 2K3 will be EOS July '10 methinks (~20 months) and between now and then, there'll be more apps to vett on 2K8 - guaranteed.
Samuel A. Rodriguez
Sr. Systems Administrator
|
|
|