locked
RDS 2012: allow RemoteApp ONLY RRS feed

  • Question

  • Hi,

    How can I allow remoteapp only for a usergroup on RDS 2012 (with broker).
    If I add users to remote desktop users they also can logon to the server which I don't want them to.

    J.


    Jan Hoedt

    Friday, April 15, 2016 9:31 AM

Answers

  • Perfectly possible. You can configure an RDS-server as a remote app or remote desktop. When you configure as remote app, you list the users which you don't need to add to remote desktop users.

    Working fine.


    Jan Hoedt

    • Marked as answer by janhoedt Wednesday, April 20, 2016 1:31 PM
    Wednesday, April 20, 2016 1:31 PM

All replies

  • Hi,

    you can't do that, here you'll find the explanation


    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Friday, April 15, 2016 9:42 AM
  • Hi,

    One technique for this is to set the Custom User Interface group policy setting to logoff.exe.  You would have the GPO apply to normal users, but not applied to Domain Admins.

    User Configuration\ Policies\ Administrative Templates\ System

    Custom User Interface     Enabled

    Interface file name: %systemroot%\system32\logoff.exe

    As you may already know, denying the ability for a regular user to get a full desktop is a nice feature, but it is not much of a security measure by itself.  If part of the reason you would like this ability is to limit what users have access to then I recommend you look at NTFS permissions, AppLocker, group policies, etc.

    Thanks.

    -TP

    Friday, April 15, 2016 11:41 AM
  • Perfectly possible. You can configure an RDS-server as a remote app or remote desktop. When you configure as remote app, you list the users which you don't need to add to remote desktop users.

    Working fine.


    Jan Hoedt

    • Marked as answer by janhoedt Wednesday, April 20, 2016 1:31 PM
    Wednesday, April 20, 2016 1:31 PM
  • TP, this is true for Windows 2008 R2, RDS 2012 works differently.

    Jan Hoedt

    Wednesday, April 20, 2016 1:32 PM
  • Thanks for sharing, it's not like that in 2008 R2:

    "Add the users and groups that need to access the RemoteApp programs to the Remote Desktop Users group."

    REF: https://technet.microsoft.com/en-us/library/ee216766.aspx


    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Wednesday, April 20, 2016 1:43 PM
  • TP, this is true for Windows 2008 R2, RDS 2012 works differently.

    Jan Hoedt

    Hi,

    Server 2012/2012 R2 works the same as 2008 R2 in this regard.  If you create a collection, publish RemoteApps, give a group access, and then a user uses mstsc.exe to manually connect directly to one of the RDSH servers, they will get a full desktop session.

    Perhaps I am confused as to what you are asking, exactly.  I thought you wanted to prevent users from being able to log on to the desktop of one of your servers, and only allow them to launch RemoteApps.  From reading your recent responses it seems part of your question is simply a generic how to give users access to a collection in 2012--which I think you realize now you are not supposed to directly make them members of the RDU group as was the case in 2008 R2.

    -TP

    Wednesday, April 20, 2016 2:03 PM
  • Works fine,
    Thanks buddy!
    Thursday, July 19, 2018 3:29 PM