none
Over riding local machine group policy for remote desktop session user

    Question

  • Background :

     In a client server system , we use Remote desktop mechanism ( MS RemoteApp) to visualize the Apps launched on the server on the client . Internally application use RDP client  “AxMsRdpClient8NotSafeForScripting” to establish a remote session

    During installation the application creates a  'Remote session User' and sets a password .While establishing a connection the user and password are set as given below.

    msRdpClient8.UserName = User;
    msRdpClient8.AdvancedSettings2.ClearTextPassword = Decrypt(password);
    //other parameters are set here
    msRdpClient8.Connect();

    Issue

    Due to hardening of the system , the security rules applied to remote desktop session has broken the system. The security Policies are applied at the local machine level. Few are  1) Prompt for password 2) Time Limit for active but Idle RD Service Session.

    The Actual user of the system is not aware of the remote session password. Till now user is unaware of the mechanism used internally as no password were prompted . Asking password will hinter the seamless integration of the application.Don't want user to see the pop up asking for password.

    I am trying to find solution for the blockers . I want to check is one the following is possible

    1. The Remote desktop policies are applied at the local machine level . Is it possible to set the policy in such a way that it is not applicable  to  ‘remote session user’ created by the application .While it is Applied to user who connects  to the server system using remote desktop from outside ( ex: using mstsc )  .

    2) Is it possible to configure the AxMsRdpClient8NotSafeForScripting object in such a way that it will override the local machine level policy .

    Thanks for the support

    somaraj

    Friday, August 26, 2016 3:44 AM

All replies

  • Hi Somarajk,

    Thanks for your post.

    The Remote desktop policies are applied at the local machine level . Is it possible to set the policy in such a way that it is not applicable  to  ‘remote session user’ created by the application .While it is Applied to user who connects  to the server system using remote desktop from outside ( ex: using mstsc )  .

    >>>Based on my experience, there is no built-in way to achieve this.

    If you want to prevent some users from running some applications, you could configure AppLocker.

    2) Is it possible to configure the AxMsRdpClient8NotSafeForScripting object in such a way that it will override the local machine level policy .

    >>>I am a little confused by this sentence, would you explain more?

    For AxMsRdpClient8NotSafeForScripting, You can do this from the command line or directly in mstsc.exe or from a custom .RDP file.
    Programatically, you access a remote desktop server via the Remote Desktop Active X control. The control can be hosted on a Web Site or in an application. 

    For more information, you could refer to the article below.

    Using multiple monitors programmatically from an RDP Active X control

    https://blogs.msdn.microsoft.com/winsdk/2014/12/31/using-multiple-monitors-programmatically-from-an-rdp-active-x-control/

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 29, 2016 7:45 AM
    Moderator
  • Hi Jay ,

    thanks for the reply ,

    What I meant by

    "Is it possible to configure the AxMsRdpClient8NotSafeForScriptingobject in such a way that it will override the local machine level policy ."

    Is the following.

    The system is hardened as given below .
    "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" fPromptForPassword to 1

    My question was, is it possible to override this policy by setting some attribute in AxMsRdpClient8NotSafeForScriptingobject .

    because we don't want this policy to apply on the remoted desktop connection make from our application to the server.

    Thanks

    somaraj

    Tuesday, August 30, 2016 9:17 AM