Locking Down TS/RDS Host
Server Manager Console
Disable Server Manager Pop up for users logging in. This can be done from the Group Policy Microsoft Management Console (MMC):
User Configuration \ Polices \ Administrative Templates \ Start Menu and Taskbar
Some administrative group polices might not be available in the Group Policy Manager Console (GPMC). These can be imported from https://www.microsoft.com/en-au/download/details.aspx?id=41193.
Removing Favorites and Libraries
You must perform these modifications on the RD Session Host servers. You can use the Registry to make these changes directly or using group policy preferences (GPP).
Note: Back up the key first and take ownership of the ShellFolder before changing the value of Attributes.
For Favorites, the key is:
[HKEY_CLASSES_ROOTCLSID{323CA680-C24D-4099-B94D-446DD2D7249E}ShellFolder] "Attributes"=dword:a0900100 Changing a0900100 to a9400100 will hide Favorites from the navigation pane.
For Libraries, the key is:
[HKEY_CLASSES_ROOTCLSID{031E4825-7B94-4dc3-B131-E946B44C8DD5}ShellFolder] "Attributes"=dword:b080010d Changing b080010d to b090010d will hide Libraries from the navigation pane.
Hiding/Preventing Access to Drives and other features
You can use Group Policy settings to hide and restrict access to drives on the RD Session Host server. By enabling these settings you can ensure that users do not inadvertently access data stored on other drives, or delete or damage programs or other critical system files on drive C.
This can be carried out from the Group Policy Microsoft Management Console (MMC) as follows:
For Windows Server 2008 and Windows Server 2008 R2: User Configuration\Policies\Administrative Templates\Windows Components\Windows Explorer.
For Windows Server 2012 and Windows Server 2012 R2: User Configuration/ Administrative Templates/ Windows Components/ File Explorer.
Additional policies can be set to:
Hide the Manage item on the Windows Explorer context menu
Remove Hardware tab
Remove "Map Network Drive" and "Disconnect Network Drive"
Remove Search button from Windows Explorer
Disable Windows Explorer’s default context menu
Remove Run menu from Start Menu
Session Limits
You can use this policy setting to specify the maximum amount of time that an active, disconnected, or idle session remains in its current state.
Set the time limit for disconnected sessions. When a session is disconnected, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server.
Set the time limit for logoff of published resources sessions. You can specify how long a user session will remain in a disconnected state after closing all programs but before the session is logged off from the RD Session Host server. By default, if a user closes a published resource, the session is disconnected from the RD Session Host server but it is not logged off.
This option can also be changed in the Parallels RAS Console by navigating to Farm \ Terminal Servers \ Properties \ Publishing Session.
Set time limit for logoff of published resources sessions. When a user closes the last running published resource associated with a session, Remote Application Server will keep the session in a disconnected state until the specified time limit is reached. When it is, the session will be logged off from the RD Session Host server. If the user starts another published resource before the time limit is reached, the user will reconnect to the disconnected session on the RD Session Host server.
Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. These configurations can be carried out from the Group Policy Microsoft Management Console (MMC): Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits.