locked
Limiting apps to specific users in RD environment RRS feed

  • Question

  • We just moved servers offsite to a hosted service after a near disaster with onsite equipment. We have a VPN connection to the hosting service that allow printing directly to our IP printers across our sites and direct access from desktops to shared files and our DB2 server.

    This has resulted in unacceptable latency with some applications, so we have migrated almost everyone to a 2016 RD server also at the hosting service. This has greatly improved performance as well as removed the task of deploying several applications to 50+ computers. These are full desktops, not remote apps, since we have too many apps to deploy them all as remote apps.

    However, we have a site license for a particular accounting package that we do not want everyone to be able to use. Sometimes users just get too curious. We used to limit access to it by installing it only it on accountants' workstations. But in the RD environment, I need to install it on the server in a way that only specific users can run it.

    My inclination is to create an AD group, then limit security for the program's EXE in its Program Files folder to include only the usual system admin accounts and the one AD group that needs the app.

    Is this a good approach? The only approach? What about setting rights at the Program Files\ThisProgramFolder level instead of just the EXE?

    Other/better ideas are welcome as are any pitfalls to avoid. After 20+ years of managing systems and 17 for this particular client, this is a first for me/us.

    Friday, June 12, 2020 5:52 AM

All replies

  • HI
    1."But in the RD environment, I need to install it on the server in a way that only specific users can run it."
    can you explain your rds environment ?
    2."Is this a good approach? The only approach? What about setting rights at the Program Files\ThisProgramFolder level instead of just the EXE?"
    did you want some specified domain users in one group can not run an application which is installed on RDsession host server1,meanwhile other domain users can run that application which is installed on RDsession host server1?
    we can try to use below policy for your specified user group
    user configuration\administrative templates\system\don't run specified windows applications
    don'r run specified windows applications
    prevent users from running certain programs
    https://www.technipages.com/prevent-users-from-running-certain-programs

    3.The only approach?
    no.
    What about setting rights at the Program Files\ThisProgramFolder level instead of just the EXE?
    we can try to use AppLocker to limit specified user group to use specified app.

    How to Configure Applocker in Windows Server 2012 R2
    https://www.youtube.com/watch?v=Z2-Sjw9UYdU

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, June 12, 2020 3:14 PM
  • RD server 2016. About 75 users, each having a full Remote Desktop.

    Regarding use of a GPO: I need an allow, not deny, policy. With 75 users, very few of whom need to run these applications, it will never work to have to put 73 of our 75 users in a "Do Not Run app #1" group, leaving out only those two that need access and 69 of them in a "Do Not Run app #2" group, leaving only the six that need access. Some users need to run one app, some need to run both, so I would have to have a separate GPO for each application--and maintain group memberhip

    Adding almost all new users will always require adding them to several "do not run" groups.

    Instead, we need a way to have apps that can be run only by group members: "Allowed to run App #1" group with two members and "Allowed to run App #2" group with six members.

    Friday, June 12, 2020 3:31 PM
  • HI
    4"Regarding use of a GPO: I need an allow, not deny, policy."
    In general ,when we install an app on the same RDsession host server ,all remote desktop group users can run this app on this RDsession host server.when there are both deny policy and allow policy for the same domain user ,the deny policy will win.

    I have another idea like below.
    "it will never work to have to put 73 of our 75 users in a "Do Not Run app #1""
    do you consider build more than one rds collection and in each collection we can add specified user group.
    for example:
    there are 3 app(app1 is only allowed for users group1;app2 is allowed for both user group2 and user group1;app3 is allowed for all user group(user group 1,user group2 ,group3 ) 
    RDSH(meas RDsession host)
    we install app1 in RDSH1 of collection1 and only allow users group1 to remote access RDSH1.
    we install app2 in RDSH2 of collection2 and only allow both user group1 and user group2 to remote access RDSH2.
    we install app3 in RDSH3 of collection3 and allow only allow all user groups to remote access RDSH3.

    if that idea is not your expect, thanks for give a excel table about allowing app and dennying app  and Corresponding user group

    5.we can use below link method to verify your technet forum account so that you can post picture and website link. Please make sure that the pictures you post do not contain your company and your private information (including but not limited to domain name, public IP, email account, domain account, etc.). These private information must be altered.

    https://social.technet.microsoft.com/Forums/en-US/5c00b9a9-3afe-4ee9-bbf0-34157716b92a/verify-my-account?forum=reportabug


    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, June 21, 2020 7:54 AM
  • In the end, we have decided to go a little different direction by using two RD servers: one to host all users' desktops and local installations of the applications common to all users, the other to deploy limited-use applications as RemoteApps with access allowed by group membership to each RemoteApp.

    Sunday, June 21, 2020 9:16 AM
  • HI
    Thanks for your reply. It's a good idea.I hope everything goes well.

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 22, 2020 10:40 AM
  • Thank you, Andy. I appreciate all the help I get here!
    Monday, June 22, 2020 12:39 PM
  • You are welcome!

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 24, 2020 2:14 PM