We have a Windows 2008 R2 RDS in a Windows 2012R2 Domain. We want to lockdown the 2008 RDS for Domain users that we have added to a new security Group--named "Data Collection Users". These users are "Domain Users" and login to the 2008 RDS using Windows XP SP3 machines to run a specific application -they do not use their local desktops for anything. WE added this group to the local RDU group on the RDS. We do not have any other users that login to the RDS through terminal, including any Domain Admins.
So far we have done these steps:
- On the DC, created new OU (called Terminal Servers) and moved the RDS into it.
- Opened Group Policy on the DC, and under GP Objects, created a new policy called "TS Users Lockdown".
- Linked the Policy to the OU.
- Under Security Filtering we removed the Authenticated Users, added the RDS computer account (called QS2), added the "Data Collection Users" and chose Allow for "Read" and "Apply Policy"
- Under Security Filtering, for Domain Admins, we chose Deny for "Apply Group Policy"
- We edited the Policy (under Computer Configuration>AT>SYS>GP) to Enable Loopback processing - Replace mode.
- We first tested the policy by trying to remove the "Run" from startup menu and "prohibit access to Control Panel".
- We ran the Group Policy force update from within GP Management - ran successfully.
- We did not reboot the RDS.
- Neither of the settings we tried in Step 7 worked. Why Not?
Here are images from the Security Filtering: