A couple of weeks ago we had a request for six new workstations to be created for outside contractors to remote into. They already had 3 Windows 7 VMs for this purpose, and this was just too much. I had been advocating against Terminal Servers because I was in charge of them at my last job and hated (HATED) them, but I'm not running 9 Windows 7 VMs just to meet this goal; management simplicity, space, and all that, you know. After I built the new RDS Server I discovered that my loathing was really just targeted at roaming profiles, and not terminal servers, so I feel better about that. Thankfully, this RDS Server will be used by outside contractors, and I don't have to worry about redirecting folders or roaming folders.
I did run into a few frustrating problems, but I found the solutions scattered about the internet. First, I found a pretty good guide to locking down an RDS Server on Technet. One good thing about the article is that it talks about removing libraries, whereas other RDS lockdown articles I found were written for Windows Server 2003.
Issue number two was that I was having a hard time figuring out how to remove the Administrative Tools from my users' start menu. There wasn't a group policy that affected this, but I DID find a group policy preference!
- In your group policy, go to User Configuration > Preferences > Control Panel Settings > Start Menu.
- Right-click > New > Start menu (Windows Vista) and then browse till the Administrative tools and choose "Do not show this item".
Another issue (and most infuriating here) was that none of my icons were showing up on my users' desktops. Icons that you create in C:\Users\Public\Desktop (Windows Server 2008/R2/Vista/7) or C:\Documents and Settings\All Users\Desktop (Windows Server 2003/XP) should show up for everyone, and mine weren't because of a group policy that I had set called “Remove common program groups from Start Menu”. This can be found in "User Configuration > Policies > Administrative Templates > Start Menu and Taskbar", and has the unintended consequence of hiding icons on all users/public desktops. So, I set the policy to "Not Configured" and then removed the "Everyone" and "Domain Users" groups from the C:\ProgramData\Microsoft\Windows\Start Menu (Windows Server 2008) or C:\Documents and Settings\All Users\Start Menu (Windows Server 2003) folder permissions. You will need to remove inheritance to make this happen.