We're seriously considering switching away from Windows 7 to Server 2012R2 as our View desktop. Mostly I have everything working OK. Here's my one issue. Over the years we have just let users be administrators on their own desktops. While I realize that this can be an issue with Windows, the number of times that we would have had to get involved to solve some issue if the user hadn't been a local admin are too numerous to count... so we're not going to abandon that strategy. However, since we are potentially handing them a server with hooks into AD and utilities like Server Manager that were never meant to be used by regular users, I am in a quandary as to how to give them a functional desktop, let them be local admins and restrict them from things that could potentially cause issues.
I've already seen the GPO's that can be created to hide things like the Server Manager and Powershell icons and keep the SM from starting at boot. I've also played with just renaming executables like SM and PS so that even if the icons are there they don't do anything. However, I'm afraid that I will miss something that could become a problem if a user stumbled upon it and I was wondering if VMware or any user here might have a list of tweaks to do to neuter the server part of the server.
Thanx... Jon
Out of curiosity, what would be your use case justification for going Server 2012 over Windows 7 (or even 10?)? It seems like you're going to have to go way out of the way to turn 2012 into Windows 7, when you could just give them Windows 7.
Would you allow multiple users on the same Server 2012R2 instance? If so, that would be very dangerous, because a user with admin access can start spying on other users in tricky ways or kick them off of sessions.
Bottom line really is $$$. We can license 2012 Datacenter version across our hosts for less money than paying the constant subscription fee for VDA licenses on Windows 7.
These will blinked clones so only one user per desktop and every time the log off, the desktop is refreshed.
Hehe I figured that was the case. Thanks for confirming though; it's always interesting to hear why decisions like these are made.
I am not the definitive word on this but I've been mulling this question over for the past few days and wanted to summarize my thinking:
Out of curiosity, can you list some of the issues why users run into problems as a non-admin? This is mostly just my own personal curiosity. It seems like all benefits that I can think of in being an admin (e.g. allowing user-installed applications) are removed by refreshing the desktop after logoff, but I must be missing some.
Another personal curiosity question: what are you planning on using for profile management to allow personal documents to outlive the desktop refresh?