Monday, December 17, 2012 3:55 PM
Windows 2008 terminal server.
I configured and distributed a RemoteApp RDP file to our workstations, but on the first day, one Windows XP user, not realizing that the logon format needed to be domain\username, instead of calling me for clarification, just went manually to Remote Desktop Connection, entered the server name, and gracefully bypassed all my hard work in configuring RemoteApp, ending up with a full deskto on the server.
I know I can also set tthe Environment tab in ActiveDirectory users and computers to limit users to one application should they again bypass the RemoteApp. However, it seems to me that there should be some setting that limits users to using RemoteApp RDP connections on a particular server and not a generic RDP logon, but I can find nothing. Is there any such setting.
This is particularly important because we may use multiple RemoteApp connections and the occasional user may need regular RDP access (with desktop) to one of our other servers.
Monday, December 17, 2012 4:31 PMModerator
One technique for this is to set the Custom User Inferface group policy setting to logoff.exe. You would have the GPO apply to normal users, but not applied to Domain Admins (or other users that you need full desktop).
User Configuration\Administrative Templates\System
Custom User Interface Enabled
Interface file name: %systemroot%\system32\logoff.exe
NOTE: It is critical to have your server configured to only allow certain programs to start on initial connection and explorer.exe must not be in this list. Otherwise someone could specify to start explorer.exe automatically and it would bypass the Custom User Interface setting above and launch the desktop.
This is configured in RemoteApp Manager by selecting Do not allow users to start unlisted programs on initial connection. The list applies to RemoteApps as well as initial programs started via user account properties, RDP-Tcp properties, etc.
You may already be aware of this but I will mention that denying the ability for a regular user to get a full desktop is a nice feature, but it is not much of a security measure by itself. If part of the reason you would like this ability is to limit what users have access to then I recommend you look at NTFS permissions, AppLocker, Software Restriction Polices, group policies, etc.