Skip to main content

How to give access to Windows Apps on ChromeOS (or other devices) fairly cheaply

There has been some interest in giving access to a Windows desktop on ChromeOS in recent months. Some high end solutions involving VDI and server graphics acceleration are coming to the market. However, if you just want a standard rdp connection, you can do that now with using a terminal server and an appropriately deployed rdp app.

What do you need?

  • Server(s) with enough power to handle the number of users you have.
  • An appropriate Microsoft Licence - e.g. a schools agreement with a spare server licence.
  • A free external IP address - optional - only needed for offsite access.
  • A mandatory windows profile you can use.

Server
Our latest remote desktop server is made out of bit from Ebay - I have a separate blog post about it here. For decent performance, you need as many cores and memory as you can afford. In addition, a fast hard disk array - we now use 4 SSD's in RAID 10.

How you configure it is up to you, but we have ESXi 5.5 running on our servers and on this box the rdp VM runs on 8 cores and 24Gb RAM. This suits our purposes and allow other VMs to run on this machine.

Software
You will need to install either Server 2008R2 (gives Windows 7 style desktop) or Server 2012R2 (gives Windows 8.1 style desktop).
There are many good guide to setting up the remote desktop role on both Server 2008R2 and Server 2012R2 - but the rough sequence is:
  • Install the OS
  • Domain join the server (activate windows if you are not running KMS - which you probably are).
  • Install the remote desktop server role. Here you have an option for a session based service (which we use) or virtual desktop service (this has some advantages but will require more setup and far more server resources).
  • Licence the server - so you need to issue CALs by machine or user. You will need your school agreement number to activate the service - otherwise it will run as a trial.
  • Setup you session parameters - so who has access and what their user experience is like.
  • Install software on the server that you want users to access - e.g. Office.
  • Remove access to admin tools and powershell. You need to manually delete the links to these. These are in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
  • Apply appropriate group policies to the server. So this normally means applying a loopback policy that enables you to apply policies that only apply when a user logs onto the server. The key one is to apply a mandatory policy and delete the local user policy on logoff. This assumes you use group policies to prevent users from fiddling with any system setting - which we do (I use the 'merge' option which take the normal policies applied to a user and merges them with the machine specific with the machine specific one taking preference).

You will need an appropriate mandatory profile - here is a good server 2008R2 guide. This sets things like the default pins to the taskbar and so on.

Once all this is setup, you should be able to use the remote desktop app on a PC to logon to your server as one of your regular users. Check they cannot do anything you don't want them to be able to do.

Within local DNS, its nice to give the server a friendly name thats easy to remember and if you are going for offsite access - make this the same as the offsite name.

Off Site
To allow off site access you will need to create a firewall rule that maps your public IP address to you server's local IP address. We use ClearOS and this is quite easy to do with a 1:1 NAT rule. You will allow need to allow port 3389 for this rule. In your web hosting, you could add an A record to map that public IP address to something like thename.mydomain.com - so users don't need to put in an IP address to connect externally.

ChromeOS
The ChromeOS bit is easy. Simply deploy the AccessToGo (there are a few apps you could use - but I find this the most user friendly) app via the management console to users - we pin it to the shelf. Users put in the computer name (whatever you have called it in DNS) and click connect - they then get a Windows login screen.

Brief demo of the result:

If you have the server resources and a bit of patience - it does not take too long to set up.We also have the Windows Server Backup feature installed which runs a daily backup just incase something gets broken.
Labels:

Comments

Post a Comment

Popular posts from this blog

Delete a specific email using GAM

If a user send an inappropriate email to a loads of people or get stung by some sort of email exploit you can quickly delete the email from all of the recipients using a GAM command. Step 1 - get the email header Go into Google Vault and search for the offending user or someone known to have got the message. Click show details and grab the email ID. This will be a long string of characters followed by @mail.gmail.com Step 2 - find out who has the email Go into Google Vault and find the original message sent by the offending user. Look at the details to see who got it. Copy the list and dump it into a spreadsheet. Clean up to just a list of emails with a column header 'mail'. Save as a csv file. Step 3 - delete messages with GAM Put your CSV file in your GAM folder - this e.g. assumes its called mail.csv Run: gam csv mail.csv gam user ~mail delete messages query rfc822msgid: MESSAGEIDHERE doit The alternative nuke option is: gam all users delete messages query rf
Post a Comment
Read more

Adding subdomains to G Suite

This is how I add subdomains (so basically new schools) to out G suite setup. I've got these steps documented on a scruffy set of notes that I've now got in Keep - so time to document them - for myself as much as anyone else! Steps in order (roughly) Add the new domain Verify the new domain Add MX records to hosting Add SPF record for Google to hosting Turn on email authentication Add DMARC record to hosting Setup custom Directory and restrict students OU to this. Create an admin quarantine for the domain. Configure SPAM setting for the domain. Turn on and off services as appropriate. Map a blank Google Site to the naked domain - if required. Setup some basic groups - allstaff, allusers (for directory) and students with appropriate permissions. Deploy custom wallpapers. So the steps in a bit of detail: Add the new domain & Verify ownership Click on Domains in the admin console: Add/remove domains followed by "add a domain" At this
Post a Comment
Read more

My favorite GAM commands - well a few of them at least!

Where would be without GAM? Paying for expensive syncing tools or doing tedious manual tasks in the admin console. GAM can automate most things you might want to do in G Suite. So these are a few of my favourite commands - one I use either as part of a batch file - or just standalone. There are loads more - but these are ones that are used daily. Classroom Create a spreadsheet of all your domains classes -  gam print courses todrive Create a spreadsheet of a teacher's classes:  gam print courses teacher fred@mydomain.com todrive Bulk create classes: gam csv classes.csv gam create course alias ~alias name ~alias section ~subject teacher ~teacher status ACTIVE where classes.csv is a list of classes you want to make. Add teachers: gam csv teachers.csv gam course ~alias add teacher ~teacher Add students: gam csv students.csv gam course ~alias add teacher ~student Sync Students (in this example to a group - but could be an ou/csv file) gam csv groups.csv gam course ~g
Post a Comment
Read more