By default the security rights on the C: disk of a RDSH server are set to:


These rights allow your users to create folders and documents in de C: disk, which are readable by every user on the system. Some old applications also like to have their save preferences set to C:\something, so im seeing all kinds of data on the C: disk on the RDSH server with these default settings. On a Windows 7 system this makes sense, but on a RDSH they do not.

You can remove these settings manually (ignore all the warnings you get) but as sysops we want to automate this. We did it with icalcs.exe:

icacls C:\ /remove:g BUILTIN\users
icacls C:\ /grant:r BUILTIN\users:(OI)(CI)RX
icacls C:\ /grant:r BUILTIN\users:(OI)(CI)(IO)(WD,AD)

You can put this in a startup script and put it in gpo.


DON’T remove the Read settings;

these read rights are set through:
icacls C:\ /grant:r BUILTIN\users:(OI)(CI)RX
which is the second line in the script.

DON’T remove these read/execute settings as this would remove the execution bit on the RDSH server and denies executing any application on the system. That would defeat the purpose of a RDSH won’t it? 😉



Categories: Citrix, Remote Desktop

Comments are closed.