Hiding “Connect to a remote PC” tab from Remote Desktop Web Access based on Group Membership

The other day one of this blog’s visitors, Ryan Davis, posted a comment regarding possibilities for using Active Directory security group membership for hiding or showing the different tabs in Windows Server 2012 R2 RDS Web Access.

This post describes a method to do just that.

If a user successfully logs in to the Web Access environment the user will see all tabs by default.
In previous posts I describe how to hide the “Connect to a remote PC” tab, or create extra tabs.
Ryan’s question was about hiding the “Connect to a remote PC” tab for regular users, but showing it if the user is a member of a specific Active Directory security group.

So in this post I will focus on the default “Connect to a remote PC” tab.
RDS Tabs Based on Group Membership 01

The preparations
Again, the files that make up RD Web Access are in C:\Windows\Web\RDWeb\Pages and we’re going to be modifying some of them, so make a copy of that folder structure just to make sure we have a backup should we break something.

The Web Access pages will need to be able to use code that is needed to communicate with Active Directory. To be able to execute that code we need to tell the RD Web Access application that it can use an assembly to execute that code.
This assembly is present on the Windows Server 2012 R2 operating system by default.
So let’s tell Web Access that it is allowed to use these binaries.

Open web.config from C:\Windows\Web\RDWeb\Pages in an editor.
Find line 52:
RDS Tabs Based on Group Membership 02

And add the following code right after that:

<compilation defaultLanguage="c#" debug="true">
  <add assembly="System.DirectoryServices.AccountManagement, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

The result must look like this:
RDS Tabs Based on Group Membership 03

This tells the RD Web Access application that we need extra code. The extra code is in the .NET Assembly, and specifically in System.DirectoryServices.AccountManagement.dll.
Save and close web.config, we don’t need it anymore.

Adding code and logic to the Default.aspx web page
Open Default.aspx from C:\Windows\Web\RDWeb\Pages\en-US\Default.aspx in an editor.
Find line 8:
RDS Tabs Based on Group Membership 04

And add the following line of code right before that:

<% @Import Namespace="System.DirectoryServices.AccountManagement" %>

The result must look like this:
RDS Tabs Based on Group Membership 05

Now find line 41:
RDS Tabs Based on Group Membership 06

Add the following code below that:

public string strShowDesktopsGroup = "Domain Admins";
public string strDomainName = "ITW";
public string[] arrGroupNames;

private static string[] GetGroupNames(string domainName, string userName)
 List<string> result = new List<string>();
 using (PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, domainName))
  using (PrincipalSearchResult<Principal> src = UserPrincipal.FindByIdentity(principalContext, userName).GetGroups(principalContext))
   src.ToList().ForEach(sr => result.Add(sr.SamAccountName));
 return result.ToArray();

The result will look like this:
RDS Tabs Based on Group Membership 07

Notice that the first line of code here determines which Active Directory group the user needs to be a member of, in order to be able to see the “Connect to a remote PC” tab. In this case it will be “Domain Admins”, which is a built-in group in Active Directory, but this could also be a custom group you or an admin created in Active Directory.
Also notice that I’ve hardcoded the Active Directory Domain Name in the second line of code here:

public string strDomainName = "ITW";

Make sure you replace “ITW” with your own Domain Name ofcourse.

Find line 290:

RDS Tabs Based on Group Membership 08

Change that line into:

if (ConfigurationManager.AppSettings["ShowDesktops"].ToString() == "true" && arrGroupNames.Contains(strShowDesktopsGroup))

And add the following code before that line after you changed it:

arrGroupNames = GetGroupNames(strDomainName, strDomainUserName);

If done correctly, the result looks like this:
RDS Tabs Based on Group Membership 09

Testing the modifications
I will use my test user “Jan Klaassen” to test a regular Active Directory user.
The user is not a member of the Domain Admins group:
RDS Tabs Based on Group Membership 10

After logging in to the RD Web Access pages:
RDS Customize Web Access - Default 11
The tab is hidden.

Next test is to log in with a user who is a member of the Domain Admins group. I will use the Domain Admin account for that:
RDS Tabs Based on Group Membership 11

After logging in to the RD Web Access pages:
RDS Customize Web Access - Default 02
Voila, Active Directory group based access to the “Connect to a remote PC” tab.

What if a user manually points the browser to /RDWeb/Pages/en-US/Desktops.aspx? The user will be able to open that page if opened this way.
This flaw can be very easily solved by renaming Desktops.aspx to for example AdminDesktops.aspx and also changing that on line 294:
RDS Tabs Based on Group Membership 12

A more elegant solution would be to do a Group Membership check in that page as well and redirect the user to Default.aspx if necessary, but I’ll leave that solution to your own imagination.

Until next time,


ps: thanks to Ryan Davis for the idea :)


20+ years experience in Microsoft powered environments. Enjoy automating stuff using scripts, powershell, and even batch files. In my free time (hah! as if there is any) I hunt achievements and gamerscore on anything Xbox Live enabled (Windows Mobile, Windows 8, Windows 10, Xbox 360 and Xbox One). When I'm not doing that I enjoy traveling or riding my Yamaha R1 on the edge ;)

Tagged with: , , , ,
Posted in Customize, Remote Desktop, Windows 2012 R2
34 comments on “Hiding “Connect to a remote PC” tab from Remote Desktop Web Access based on Group Membership
  1. Steve Wylie says:

    Thanks for your several posts about customizing the rdweb page. I’ve been able to use something from almost all of them. I’m especially interested in your upcoming post on branding. Meanwhile, I’m having a problem with the selective hiding of the Connect to a Remote Desktop tab on the Default.aspx page. Here’s the error I get.

    Server Error in ‘/RDWeb/Pages’ Application.

    Compilation Error
    Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source code appropriately.

    Compiler Error Message: CS0305: Using the generic type ‘System.Collections.Generic.List’ requires 1 type arguments

    Source Error:

    Line 46: private static string[] GetGroupNames(string domainName, string userName)
    Line 47: {
    Line 48: List result = new List();
    Line 49:
    Line 50: using (PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, domainName))

    Source File: c:\Windows\Web\RDWeb\Pages\en-US\Default.aspx Line: 48

    Show Detailed Compiler Output:

    Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.34009

    Can you help resolve this?
    Thanks again.

  2. Percy says:

    Are the steps the same for 2008 R2?

  3. Percy says:

    Having issues with this customization. After making the modifications I’m getting a 500.19 error for the web.config file. Prior to this error I was getting another error I believe it had to do with the ”

    Detailed Error Information:

    IIS Web Core


    Not yet determined

    Error Code

    Config Error
    Config section ‘system.web/compilation’ already defined. Sections must only appear once per config file. See the help topic for exceptions

    Config File

    Requested URL

    Physical Path

    Logon Method
    Not yet determined

    Logon User
    Not yet determined

    • Arjan Mensch says:

      Hi Percy,
      Reading the error I suspect you copy and pasted the system.web/compilation section into your web config file, which results in two sections in your web config. You need to move the contents of one of the section to the original section.
      Is this on the 2008R2 machine you mentioned?

  4. Percy says:

    Yes its a 2008R2.Many of the current production RDS Host Servers which will ultimately publish their rdc on the web site are 2008R2 servers. I really like this modification though for my flexibility in accessing servers quickly so i’ll have to deploy a 2012R2 server i guess. Thanks for the quick reply Arjan!

  5. Fred says:

    Hello Arjan, I have followed the steps here, but for some reason the rdweb connect to a remote pc tab is still there. If i turn off the connect to remote pc tab in IIS when i load a user it just sits and thinks, looking for applications to load and never loads. This is server 2012 (not R2) Any recommendations?

    • Fred says:

      I have figured out the issue from the previous post but now i am getting this.

      Server Error in ‘/RDWeb/Pages’ Application.

      Runtime Error
      Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

      Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a “web.config” configuration file located in the root directory of the current web application. This tag should then have its “mode” attribute set to “Off”.

      Notes: The current error page you are seeing can be replaced by a custom error page by modifying the “defaultRedirect” attribute of the application’s configuration tag to point to a custom error page URL.

  6. Hi Arjan

    I’m running 2012r2 and have added in .NET 3.5 – but still I get the exact same error as the first poster. I’ve tried installing all .NET features for 3.5 & 4.0 (initially only installed base options, then added all just to try), rebooted and fully patched, but still no joy. Do you have any ideas on what could be causing the issue? I’m really stumped.

    Nothing else is running on the server just RDWeb role.

    Any help would be most appreciated, your blogs are really well written and very useful! I very much look forwards to the branding one.



  7. X2Dojo says:

    I just tried following your the custom settings and gave me the same error. My RDS server is running on Windows 2012 R2 and have .NET 3.5 installed as well and can’t figure out why it’s bombing out. I made sure that all the spellings are correct and everything followed through as you directed. Please help. Thank you.

  8. X2Dojo says:

    I think the issue here is that I already used your customization on your other blog


    and beneath the already has an entry but the actual line is different. How an I get both of this customization to work? Thanks.

  9. Danny O'Connor says:

    I’ve got a bit further than the error in the first post. The text in the box to copy/paste doesn’t make the text in the example of how it should look.

    I can now login, but then get:

    Server Error in ‘/RDWeb/Pages’ Application.

    Value cannot be null.
    Parameter name: source
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.ArgumentNullException: Value cannot be null.
    Parameter name: source

    • Arjan Mensch says:

      I modified the List result = new List(); line in the box you mention. Besides that one there was one more line with a mistake. Can you try if that fixes your error when you copy the full code again?

  10. Danny O'Connor says:

    Line 52 needs added after (PrincipalSearchResult too. Adding that I then get the error in my first post

  11. X2Dojo says:


    this is the code to remove the domain on login.

    and this is the code above..

    the tokens are different so i’m wondering if this will still work or will probably break either of the customization. the solution for me to remove the “Connect to a remote PC” is go to IIS and put “False” in ShowDesktop and then publish a Remote Desktop app and only apply to specific group. But I would rather do it your way if we can make it work. Thanks a bunch!!

  12. X2Dojo says:

    well I pasted the code and on my above post and didn’t post…argh!!

    • Arjan Mensch says:

      Hi X2Dojo,
      Yes the tokens are different. But since it are 2 different dlls (System.DirectoryServices.AccountManagement and System.DirectoryServices) this should not create a problem. If I find enough time, I’ll check if it works, but don’t hold your breath for it ;)

  13. Dennis Niedling says:

    the solution works perfect along your description. I added an AD Group to give access to the connect to a pc tab. Then I tried to add a nested group containing all IT employees. This is not working and the tab stays hided. It seems only users which are directly added to the Group can see the tab.
    Is there a solution to get nested Groups running for this customization?

    • Arjan Mensch says:

      Hi Dennis,

      Yes there is, but you need to program / find it yourself. The code I provide is more of a Proof on Concept and needs to be replaced with code that recursively checks group membership, instead of just single-level checks, like the code I provide.

  14. Chris Gundry says:

    Hi Arjan, Thanks for your work on this and your other posts, they are great! I was wondering if you had come up with anything to restrict the actual web portal itself. It seems this is something obvious that is missing from the standard MS product…? I have seen several posts about it but no one has a good solution.

  15. Jurgen says:

    I have a fresh install of Windows Server 2012r2 RD WEB Access server, and my default.aspx is different to the one you are showing.
    is at line 9, and line 41 is totally different. even the line “Public WorkSpaceInfo objworkspaceInfo = null” cannot be found in a search on the file.

    • Arjan Mensch says:

      Hi Jurgen,
      I just tested a fresh fully updated installation and it’s still the same.
      Make sure you open c:\windows\web\rdweb\pages\en-us\default.aspx and not c:\windows\web\rdweb\pages\default.aspx.

  16. Greg says:

    Hello Arjan, what is the difference between the logon.aspx (external URL) and default.aspx (internal). I what the users externally to see the default.aspx because it has the Connect to Remote Desktop and logon.aspx does not.

    • Arjan Mensch says:

      Hi Greg,
      Sorry for the late reply.
      All users go to default.aspx initially. This page detects if the user is authenticated or not and if not, the user gets redirected to logon.aspx. The users will see the default.aspx after they are authenticated.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog Authors

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 400 other followers

Blog Stats
  • 2,725,117 hits
  • An error has occurred; the feed is probably down. Try again later.
%d bloggers like this: