Parallels RAS Best Practices Guide
ProductsSupportPartnersDocumentation
  • Introduction
  • Active Directory and Infrastructure Services Considerations
    • Active Directory
    • DNS
    • DHCP
    • File Services
  • Installation Procedures
    • Windows Server Requirements
    • Windows Server Roles & Features
  • Remote Access Configuration
    • Remote Desktop and Terminal Server Performance Settings
    • General Performance Related Settings
    • CPU Optimization
    • Optimizations
    • Configure RemoteFX
      • General Purpose RemoteFX Settings
        • Remote FX Settings for Windows Server 2008 R2
        • RemoteFX settings for Windows Server 2012 and 2012 R2
        • RemoteFX Settings for Windows Workstations Running Remote PC Agents and Guest Agents
        • Configure RemoteFX Adaptive Graphics
        • Configure RemoteFX Lossless Graphics
        • Use the Hardware Default Graphics Adapter for all Remote Desktop Services Sessions
        • Remote FX USB Redirection
        • Enable Audio / Recording Redirection
        • Audio and Video Playback
        • Time Zone Redirection
        • Device and Resource Redirection
        • Remote Session Environment (H.264, RemoteFX, Adaptive Acceleration)
        • Windows Server 2008 R2 RemoteFX Compatibility
    • RDP Optimizations
      • For Windows Server 2008 and Windows Server 2008 R2
      • For Windows Server versions 2012/2012 R2/2016/2019
    • RDP Security
    • Locking Down TS/RDS Host
    • Disable Administrative Components
    • Antivirus Exclusions
  • Printer and Drive Mapping
    • Printer and Drive Mapping
    • Printing/Scanning Compression
  • Miscellaneous
    • Load Balancing
    • Groups
    • Filtering
    • Disable Application Monitoring
    • Server Reboots
    • Backups
    • Large File Upload / Download via Drive Redirection
    • Remove Gateway Browsing from Your LAN
    • Remove Self-Signed Certificate Error
    • Remote PCs
    • VDI
  • Parallels RAS User Portal
Powered by GitBook

Social media

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube

Other Resources

  • Feedback

© 2025 Parallels International GmbH. All rights reserved.

On this page
  • Server Manager Console
  • Removing Favorites and Libraries
  • Hiding/Preventing Access to Drives and other features
  • Session Limits
Export as PDF
  1. Remote Access Configuration

Locking Down TS/RDS Host

Server Manager Console

Disable Server Manager Pop up for users logging in. This can be done from the Group Policy Microsoft Management Console (MMC):

User Configuration \ Polices \ Administrative Templates \ Start Menu and Taskbar

Some administrative group polices might not be available in the Group Policy Manager Console (GPMC). These can be imported from https://www.microsoft.com/en-au/download/details.aspx?id=41193.

Removing Favorites and Libraries

You must perform these modifications on the RD Session Host servers. You can use the Registry to make these changes directly or using group policy preferences (GPP).

Note: Back up the key first and take ownership of the ShellFolder before changing the value of Attributes.

  • For Favorites, the key is:

    [HKEY_CLASSES_ROOTCLSID{323CA680-C24D-4099-B94D-446DD2D7249E}ShellFolder] "Attributes"=dword:a0900100 Changing a0900100 to a9400100 will hide Favorites from the navigation pane.

  • For Libraries, the key is:

    [HKEY_CLASSES_ROOTCLSID{031E4825-7B94-4dc3-B131-E946B44C8DD5}ShellFolder] "Attributes"=dword:b080010d Changing b080010d to b090010d will hide Libraries from the navigation pane.

Hiding/Preventing Access to Drives and other features

You can use Group Policy settings to hide and restrict access to drives on the RD Session Host server. By enabling these settings you can ensure that users do not inadvertently access data stored on other drives, or delete or damage programs or other critical system files on drive C.

This can be carried out from the Group Policy Microsoft Management Console (MMC) as follows:

  • For Windows Server 2008 and Windows Server 2008 R2: User Configuration\Policies\Administrative Templates\Windows Components\Windows Explorer.

  • For Windows Server 2012 and Windows Server 2012 R2: User Configuration/ Administrative Templates/ Windows Components/ File Explorer.

Additional policies can be set to:

  • Hide the Manage item on the Windows Explorer context menu

  • Remove Hardware tab

  • Remove "Map Network Drive" and "Disconnect Network Drive"

  • Remove Search button from Windows Explorer

  • Disable Windows Explorer’s default context menu

  • Remove Run menu from Start Menu

Session Limits

You can use this policy setting to specify the maximum amount of time that an active, disconnected, or idle session remains in its current state.

Set the time limit for disconnected sessions. When a session is disconnected, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server.

Set the time limit for logoff of published resources sessions. You can specify how long a user session will remain in a disconnected state after closing all programs but before the session is logged off from the RD Session Host server. By default, if a user closes a published resource, the session is disconnected from the RD Session Host server but it is not logged off.

This option can also be changed in the Parallels RAS Console by navigating to Farm \ Terminal Servers \ Properties \ Publishing Session.

Set time limit for logoff of published resources sessions. When a user closes the last running published resource associated with a session, Remote Application Server will keep the session in a disconnected state until the specified time limit is reached. When it is, the session will be logged off from the RD Session Host server. If the user starts another published resource before the time limit is reached, the user will reconnect to the disconnected session on the RD Session Host server.

Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. These configurations can be carried out from the Group Policy Microsoft Management Console (MMC): Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits.

PreviousRDP SecurityNextDisable Administrative Components

Last updated 9 months ago

.

https://blogs.msdn.microsoft.com/rds/2011/05/26/how-to-restrict-users-from-accessing-local-drives-of-an-rd-session-host-server-while-using-remoteapp-programs/