When setting up a Windows 2016 RDS (Remote Desktop Server), there are a few GPO (Group Policy Object) settings I commonly define for all deployments. This group of settings helps make it difficult for users to get into administrative applications, improve performance, and generally keep users out of trouble. This is by no means a comprehensive list if of group policy items if you need your RDS server to be in full lockdown mode. Some of these settings apply to only Windows 2016. Here are my common GPO settings, in no particular order.
- Show only specified Control Panel items. Located in User Configuration / Policies / Administrative Templates / Control Panel. This policy setting requires that you define which control panel items are visible. To define the control panel items, you need to use their canonical names. I commonly make available “Microsoft.DevicesAndPrinters” so that users can make changes to their printers, such as setting a default printer, or changing the default printer preferences. I also make the “Mail” item available so users can modify their Outlook profiles which comes in handy when troubleshooting Outlook issues.
- Always open All Control Panel Items when opening Control Panel. Located in User Configuration / Policies / Administrative Templates / Control Panel. This policy setting goes together with the previous policy item and opens the control panel to the Small icons view which makes it easier for users to find what they are looking for.
- Settings Page Visibility. Located in User Configuration / Policies / Administrative Templates / Control Panel. This policy setting allows you to define which setting items are visible when a user clicks on the settings option (gear icon) from the Start button. I typically enable this setting and set the Page Visibility to “showonly:”. This in effect prevents the user from being able to access anything in the settings options.
- Use Cached Exchange Mode for new and existing Outlook profiles. Located in User Configuration / Policies / Microsoft Outlook 2016 / Account Settings / Exchange / Cached Exchange Mode. For this policy setting to be available, you will need to download and install the Office 2106 ADMX templates. I typically configure this setting to “Disabled” to prevent users from running Outlook in cached mode. Cached mode improves Outlook performance, but, caching every users Outlook data will consume a lot of disk space and can cause high disk utilization. This is especially true if you are using roaming profiles or have multiple RDS Servers.
- Start Layout. Located in User Configuration / Policies / Start Menu and Taskbar. This setting allows you to customize users Start menu tiles. I don’t want my users to see tiles for Server Manager, Administrative Tools, Powershell, etc. To use this policy item, you need to first login to an RDS server and customize the Start Menu tiles to your liking. You will then need to use the Export-StartLayout PowerShell cmdlet to create an XML file. Next save the XML file to a location where all users will have access and define this path in the group policy item.
- Hide these specified drives in My Computer. Located in User Configuration / Policies / Windows Components / File Explorer. I set this to Enabled and restrict access to all local drives. This prevents users from trying to save anything to the local C: drive on the RDS server.
Have any questions about setting up a Windows Remote Desktop Server? Contact us at any time.
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.