I encountered an odd behavior from a recent Gateway RDWeb. I have Remote App and Full Desktop published to RDWeb, but when I went to download the FullDesktop.rdp – it got the same settings as the remote app.
I’ve checked the registry entries and they are correct. Even copied the contents of RDPFileContents entry to notepad and saved as .rdp and it worked great – so its valid…
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\MyCollection\Applications\MyAppName
and
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\MyCollection\RemoteDesktops\MyCollection
The contents have been changed to modify some settings and add the domain name in username section – but again, valid and works. Also changed the Name of each and it shows up in RDWeb properly.
I don’t know HOW RDWeb is pulling the wrong entry for the Desktop, since it SHOULD be pulling it from the Registry.
The ONLY thing I can think of is that my Collection Name and the Remote App name are the same… (above MyCollection and MyAppName are the same) but why would that be a problem?
Apparently, it is. My Collection is “MyAppName” and the published Remote App is “MyAppName” – and Windows Remote Desktop can’t decide which is which in RDWeb – despite the right settings in the registry.
Trusted Domain users to RDP session
Can users from a Trusted Domain authenticate on a Remote Desktop connection in a different, trusting domain? Can it be done? Yes.
So, after some painful back and forth, it can be done, but its not totally secure, and it can be quite the hassle.
- Requires Two-Way domain trust, which is not as secure as a one-way, limited trust,
- The RDP broker must be able to talk to the Trusted DC and the Trusted DC must be able to talk to the Trusting RDP broker as well as the Trusting DC
- Domain Local group on the Trusting domain that has a group from the Trusted domain as a member.
- NPS on the Gateway must be set to allow the Trusted domain user group. (May not be required on environments without a gateway)
Assuming you can set up a Two-Way domain trust – maybe even set up as Select – so, not covering that here. On the Trusting domain (the one with the RDP server), you will need to set up a Domain Local security group:
That has the Trusted domain’s group as a member:
On the broker/gateway, in NPS, right click on the NPS (local) and if Register server in Active Directory is bold, click it to register in active directory.
In the Network Policies, RDG_CAP_AllUsers, Conditions, User Groups, you need to add the Trusted domain’s user group and the domain local group (just in case).
In the collection(s), you can add the Domain Local group, or groups, to the User Groups assigned to that collection:
Now, users in the group from the Trusted domain, who are in the Domain Local group, can authenticate to an RDP session in the Trusting domain, as long as the firewall or VPN, etc allows the RDP connection broker to reach the Trusted DC and vice versa.
To sum up:
- Two-Way Domain Trust: Establish a two-way domain trust between the trusting and trusted domains. This facilitates communication between the RDP broker/gateway and the trusted domain’s domain controller.
- Communication Channels: Ensure that communication channels are open bidirectionally between the RDP broker/gateway and the Trusted DC, as well as between the Trusted DC and the Trusting RDP broker and DC. Verify there are no network restrictions impeding this communication.
- Domain Local Group Creation: Create a Domain Local group on the Trusting domain, adding a group from the Trusted domain as a member. This allows users from the Trusted domain to be granted access permissions within the Trusting domain.
- NPS Configuration: In the Network Policy Server (NPS) on the RDP broker/gateway:
- Register the server in Active Directory.
- Configure the RDG_CAP_AllUsers network policy:
- In Conditions, under User Groups, add the Trusted domain’s user group and the Domain Local group.
- In collections, assign the Domain Local group(s) to the User Groups associated with the collection.
- Active Directory Registration: Ensure the RDP broker/gateway is properly registered in Active Directory, which is vital for its integration with NPS.
- Firewall/VPN Configuration: Confirm that firewall or VPN settings allow the RDP connection broker to communicate with the Trusted DC and vice versa. This ensures seamless authentication for Trusted domain users accessing RDP sessions in the Trusting domain.
By meticulously following these steps, users from the Trusted domain who are members of the Domain Local group can successfully authenticate to RDP sessions in the Trusting domain. However, it’s crucial to monitor and maintain the setup’s security to mitigate potential risks.
Helpful Group Policy Query
So, have you ever been tasked with moving file shares or printer shares to a new server? How enjoyable is it combing through Group Policy to find where the old server name is used? Yeah, its not.
Powershell to the Rescue! The below script will look for any text within all the group policies and let you know which ones the text is found in. A server name is the most obvious thing to look for, but it could be a user name or a share name, etc.
# Get the string to search for
$searchString = Read-Host -Prompt "Enter the string to search for in GPOs"
# Set the domain to search for GPOs
$DomainName = $env:USERDNSDOMAIN
# Check if Group Policy module is available, import if not
if (-not (Get-Module -Name GroupPolicy -ListAvailable)) {
Import-Module GroupPolicy -ErrorAction Stop
}
# Find all GPOs in the current domain
Write-Host "Finding all the GPOs in $DomainName"
try {
$allGposInDomain = Get-GPO -All -Domain $DomainName -ErrorAction Stop
} catch {
Write-Host "Error: Failed to retrieve GPOs. $_" -ForegroundColor Red
exit
}
$matchedGPOs = @()
# Search through each GPO's XML for the specified string
Write-Host "Starting search..."
foreach ($gpo in $allGposInDomain) {
try {
$report = Get-GPOReport -Guid $gpo.Id -ReportType Xml -ErrorAction Stop
} catch {
Write-Host "Error: Failed to retrieve report for $($gpo.DisplayName). $_" -ForegroundColor Yellow
continue
}
if ($report -match $searchString) {
Write-Host "Match found in: $($gpo.DisplayName)" -ForegroundColor Green
$matchedGPOs += $gpo.DisplayName
} else {
Write-Host "No match in: $($gpo.DisplayName)"
}
}
# Display results
Write-Host "`nResults:`n**************" -ForegroundColor Yellow
foreach ($match in $matchedGPOs) {
Write-Host "Match found in: $($match)" -ForegroundColor Green
}