Re: Tweaking Server 2012R2 as a View Desktop

jhyiesla · ‎09-22-2015

We're seriously considering switching away from Windows 7 to Server 2012R2 as our View desktop. Mostly I have everything working OK. Here's my one issue. Over the years we have just let users be administrators on their own desktops. While I realize that this can be an issue with Windows, the number of times that we would have had to get involved to solve some issue if the user hadn't been a local admin are too numerous to count... so we're not going to abandon that strategy. However, since we are potentially handing them a server with hooks into AD and utilities like Server Manager that were never meant to be used by regular users, I am in a quandary as to how to give them a functional desktop, let them be local admins and restrict them from things that could potentially cause issues.

I've already seen the GPO's that can be created to hide things like the Server Manager and Powershell icons and keep the SM from starting at boot. I've also played with just renaming executables like SM and PS so that even if the icons are there they don't do anything. However, I'm afraid that I will miss something that could become a problem if a user stumbled upon it and I was wondering if VMware or any user here might have a list of tweaks to do to neuter the server part of the server.

Thanx... Jon

vTimD · ‎09-22-2015

Out of curiosity, what would be your use case justification for going Server 2012 over Windows 7 (or even 10?)? It seems like you're going to have to go way out of the way to turn 2012 into Windows 7, when you could just give them Windows 7.

-vTimD http://www.vtimd.com If you found this or any other answer useful please consider the use of the Helpful or Correct buttons to award points.

grossag · ‎09-22-2015

Would you allow multiple users on the same Server 2012R2 instance? If so, that would be very dangerous, because a user with admin access can start spying on other users in tricky ways or kick them off of sessions.

jhyiesla · ‎09-23-2015

Bottom line really is $$$. We can license 2012 Datacenter version across our hosts for less money than paying the constant subscription fee for VDA licenses on Windows 7.

jhyiesla · ‎09-23-2015

These will blinked clones so only one user per desktop and every time the log off, the desktop is refreshed.

grossag · ‎09-28-2015

Hehe I figured that was the case. Thanks for confirming though; it's always interesting to hear why decisions like these are made.

grossag · ‎09-28-2015

I am not the definitive word on this but I've been mulling this question over for the past few days and wanted to summarize my thinking:

As mentioned before, you would need to make sure that multiple users do not access the same desktop.
If they are an admin, there is nothing preventing a user from intentionally breaking the View Agent or the machine. Most ways in which they do this would be undone after a desktop refresh, but they could potentially unregister the View Agent from the View Connection Server.
If they are an admin, they can override any GPO controls that you set to prevent data leakage. For example, let's say you want to disable client drive redirection (fDisableCdm Microsoft GPO); if they are an admin they can modify the HKLM portion of the registry to change the value of a setting like this. Not sure if this is a concern for you, but I wanted to mention it anyway.

Out of curiosity, can you list some of the issues why users run into problems as a non-admin? This is mostly just my own personal curiosity. It seems like all benefits that I can think of in being an admin (e.g. allowing user-installed applications) are removed by refreshing the desktop after logoff, but I must be missing some.

Another personal curiosity question: what are you planning on using for profile management to allow personal documents to outlive the desktop refresh?

All

Tweaking Server 2012R2 as a View Desktop