locked
Admin Switch and Start Program RRS feed

  • Question

  • Hi, all.

    We're finding that if we set a W2K8R2 TS to force a program on an RDP connection, we cannot connect as admins and get a desktop. The /admin switch does not seem to matter.

    We have always been able to hit our W2K3 Terminal Servers with the switch (/console?), and they work fine. Users just get the application without a desktop but admins can get to everything.

    The only clue we've seen so far relates to a convoluted Loopback configuration in Group Policy.

    Does anyone know if we're missing something simple?


    Thanks.
    Friday, October 23, 2009 1:40 PM

Answers

  • Create an OU for each TS Server and move the server object inside of it.  Then create a GPO for each with the User Config setting to autostart the program you want, use security so that it does not apply to Domain Admins, and enable loopback.  That way the autostart application will be different depending on what server a user logs onto, however, Domain Admins will not have any application launched.

    The above takes only seconds per TS, assuming all you are doing is setting the autostart.  If you have many similar you could use Starter GPOs to help speed the process.

    You could also create a starter program or script that launches a particular program depending on the TS.  In this case the autostart would be the same for all of the Terminal Servers, however, each would have a config file or similar for the autostart program so that it knows which program to launch.

    For example, you could have a program named autostart.exe and set that as the startup for all of the servers.  In the folder on each server you would have a config file named autostart.exe.config that would contain the program it is supposed to launch.  Using VB/C# Express you could create this program in 15 minutes or less.

    Thanks.

    -TP

    • Proposed as answer by TP []MVP Friday, October 23, 2009 9:06 PM
    • Marked as answer by Wayne Kessler Friday, October 23, 2009 10:15 PM
    Friday, October 23, 2009 9:06 PM

All replies

  • Hi,

    2003 will not automatically start a program when connecting to the console session, which explains why your technique worked.  Under 2008 things are different because in essence there is no special console session, so if you have configured the RDP-Tcp listener to automatically start a program (or the equivalent setting under a GPO\Computer Config) it will affect all users.

    There are different ways to solve this.  One way is to create a GPO object for your standard users that automatically starts the program using the setting under User Configuration and link it to the OU for them.  Since your admins are in a different OU, the setting will not apply when they logon.  Another way is to create a GPO (that applies to all users), set the program under User Config, and then Deny Apply Group Policy to the Domain Admins group.

    If you have a small number of users you could always configure the automatic program start on each user account properties.

    Setting up a GPO with loopback is not so complicated, and can be very useful.  The common case to use loopback is when you want to have restrictive Group Policy settings apply when users logon to a TS, but not apply when they logon to their workstation PC.  This is separate from settings applying to your admins--you would use security filtering for that to avoid the settings being applied to them.

    If you do not have any other GP restrictions you could have your admins logon and then start the shell manually.  For example, they enter their password, press Ctrl-Alt-End, Start Task Manager, File--New Task, explorer.exe.  This illustrates how easy it may be for a standard user to see the desktop as well.

    Please let me know if you have any questions.

    Thanks.

    -TP
    • Proposed as answer by TP []MVP Friday, October 23, 2009 4:42 PM
    • Marked as answer by Wayne Kessler Friday, October 23, 2009 4:46 PM
    • Unmarked as answer by Wayne Kessler Friday, October 23, 2009 7:52 PM
    Friday, October 23, 2009 4:42 PM
  • Excellent answers.

    Thanks!!
    Friday, October 23, 2009 4:46 PM
  • Actually, it's been so long since I started working on this that I forgot where I was.

    The problem with using a GPO is that we have a number of different Terminal Servers, and several are set to serve up only one application. With several different apps, I can't see a clean way (if any way) to do it with GPO.

    If the answer is the hack of running explore.exe, then that's what it'll have to be. It just seems like there should be a better way...

    Friday, October 23, 2009 7:58 PM
  • Create an OU for each TS Server and move the server object inside of it.  Then create a GPO for each with the User Config setting to autostart the program you want, use security so that it does not apply to Domain Admins, and enable loopback.  That way the autostart application will be different depending on what server a user logs onto, however, Domain Admins will not have any application launched.

    The above takes only seconds per TS, assuming all you are doing is setting the autostart.  If you have many similar you could use Starter GPOs to help speed the process.

    You could also create a starter program or script that launches a particular program depending on the TS.  In this case the autostart would be the same for all of the Terminal Servers, however, each would have a config file or similar for the autostart program so that it knows which program to launch.

    For example, you could have a program named autostart.exe and set that as the startup for all of the servers.  In the folder on each server you would have a config file named autostart.exe.config that would contain the program it is supposed to launch.  Using VB/C# Express you could create this program in 15 minutes or less.

    Thanks.

    -TP

    • Proposed as answer by TP []MVP Friday, October 23, 2009 9:06 PM
    • Marked as answer by Wayne Kessler Friday, October 23, 2009 10:15 PM
    Friday, October 23, 2009 9:06 PM
  • Thanks, TP.

    I suppose I was concerned with the way we currently have things set up, or I should say, the way a former employee had our servers set up.

    It's just as well - forcing my hand to clean up another mess - great thoughts, TP.
    Friday, October 23, 2009 10:22 PM