Limit Windows Remote Desktop users' server rights

How can you manage access to Windows Explorer and the DOS command prompt to control Windows Remote Desktop users network rights?

We are using Remote Desktop in Windows Server 2003 for server management. The current configuration of the application server allows all Remote Desktop users full control of the server, its files and its data. We want to limit the users' rights by removing their access to Windows Explorer and the DOS command prompt, but when they try to save a report setup within the application, they cannot browse the folders. How can we fix this?

The solution to this problem depends on the nature of the application that your Remote Desktop end users are running. If you create shares on the folders that contain the data and then map drive letters to them, the application may allow you to configure it to automatically open/save from that drive letter, bypassing the use of Windows Explorer.

Alternatively, you can configure a startup application in the Terminal Services Configuration administrative console.

  1. Start the console and select the Connections node in the left pane.
  2. In the right pane, double-click RDP-TCP to open its Properties sheet.
  3. Select the Environment tab, and then click the third radio button, "Start the Following Program When The User Logs On."
  4. Enter the full path to the program in the Program Path and File Name field, such as C:Program FilesMicrosoft OfficeOFFICE11winword.exe, and enter just the part in the Start In field, such as C:Program FilesMicrosoft OfficeOFFICE11.
  5. Click OK to save your changes.

The next time a user logs on to that Terminal (application) Server, he will see only the application that you've specified and will not be able to navigate around the server outside of that application.

Dig Deeper on Windows legacy operating systems