locked
Does an exclusion list apply to a user logging on to a Terminal server? RRS feed

  • Question

  • I asked this in the app-v 4.5 forum then noticed it's retired. Hope this is the right place.

    Just new to App-V.  Users logon to their workstations and only see the apps they are supposed to see - no problem. However when a user logs on locally to a terminal server (for TS admin purposes) he sees all the apps - not just the ones he is supposed to see.
     
    Is this by design? is there any way to restrict apps on a TS local logon?

    Thanks,
    Gary Olsen

    Friday, August 28, 2009 7:38 PM

Answers

  • Hello,

    I don't think its possible to restrict local admins from seeing all applications, however you can restrict them from starting applications (using enforced group memberships..)

    /Znack
    Tuesday, September 1, 2009 7:06 PM

All replies

  • Hello,

    This is very dependt on how you choose to distribute applications, whats your deployment method?

    /Znack
    Saturday, August 29, 2009 9:57 AM
  • Hi,

    I suppose that with "he sees all the apps" you mean that he sees all the apps in the Client Management Console (or do you mean he sees the shortcuts for all the apps in the Start Menu, Desktop etc.)...

    If a user is member of the local admin group, s/he usually can see all the apps in the Client Management Console (there is an option "Show all known applications" in the Client's "View" menu).
    If users see all the apps in their startup menu when they log onto a terminal server, guessing would be a little bit more complicated...
    Falko
    Monday, August 31, 2009 12:05 PM
    Moderator
  • Thanks - I believe it's in teh client management console.

    I need more info but I believe these are admins of some sort. So let's assume they are local admins. 

    so the question is... can we restrict local admins so they don't see all known apps?  Sorry - I don't have appv set up yet so I'm not sure what options are available in the client mgt console.

    thanks
    Gary
    Tuesday, September 1, 2009 4:21 PM
  • Hello,

    I don't think its possible to restrict local admins from seeing all applications, however you can restrict them from starting applications (using enforced group memberships..)

    /Znack
    Tuesday, September 1, 2009 7:06 PM
  • Ok - I have some more details on this one..

    1. they are allowing normal users to logon to the Terminal server. In the client apps console they see the apps they are supposed to see, but in the Start menu they see all apps.

    2. None of these are local admins - just users

    3. They use the sequencer and AD. The AppV Management server and streaming server are used to deliver virtual apps to  xp, vista, win7 and w2k3 Term svrs. Using appv for Terminal servers 4.5 Publishing servers are w2k3 standard R2 all security updates applied.

    So the question remains... does an exclusion list apply to a user logging on to a terminal server locally. Specifically - should the exclusion list prevent this user from seeing all apps in the Start Menu? or is this expected behavior. It is an odd scenario I will admit - allowing users to logon to the TS.

    thanks,
    Gary Olsen

     

    Tuesday, September 8, 2009 7:50 PM
  • Hello,

    Well, it would be interested where those apps are placed and a lot more information about your profile-handling;
    Basically the shortcuts should be placed in the users-profile by the app-v server, however if MSIs would be used, they would then be placed in the all-users profile.

    Now, another scenario is if someone updates the default user profile / roaming profile and it then was updated to contain all the shortcuts of published apps, and thus they would from then on be available for all users....

    Could be a couple of scenarios here and these are just initial thoughts....

    /Znack
    Tuesday, September 8, 2009 8:18 PM


  • So the question remains... does an exclusion list apply to a user logging on to a terminal server locally. Specifically - should the exclusion list prevent this user from seeing all apps in the Start Menu? or is this expected behavior. It is an odd scenario I will admit - allowing users to logon to the TS.

    thanks,
    Gary Olsen


    Gary,

    Given that your environment uses Management Server, App-V Client in the Terminal Server environment behaves just the same way it does in the workstation setup. So yes, users (even local admins) should only see their assigned applications on the Start Menu. In the client management console local admins see all applications present, but that doesn't mean they can actually launch those.

    This means that something is now wrong with your TS setup as it should not exhibit the behaviour you describe. One thing that comes to my mind is redirected Start Menu or maybe some form of mandatory profiles, do you happen to use those on your TS?

    Btw, I couldn't fully understand what you meant by exclusion list, but I assume you refer to fact that App-V publish shortcuts based on group membership?

    br,
    Kalle
    Thursday, September 10, 2009 7:03 PM
    Moderator
  • Reading throught this something else comes to my mind: Sometimes in Ts environments, the StartMenu is not generated the "usual" way but another piece of software (or a startup script) copies a StartMenu from a third location into the userprofile during LogOn. Of course it might be the case that this causes some strange behaviour.
    Concerning the Excusion list: No, the App-V client does behave the same way on a workstation and on a terminal server regardless the logon method if the clients are configured the same way.

    Falko
    Friday, September 11, 2009 6:15 PM
    Moderator
  • I'll admit again I'm an App-V newbie so forgive my ignorance..

    I see in the replies here that:

    1. an app-v client should only see the same shortcuts when logged on locally to a TS as he/she does when logged on to a workstation. (This was my first question so thanks for the info)

    2. Something is wrong with the TS (or app-v?) Setup...

    So here are some details

    1. We use the sequencer and AD.
    2. We use the AppV Management Server and Streaming server to deliver virtual apps to the XP Vista, Win7 and Win2008 TS.
    3. Using AppV for Terminal Servers v4.5
    4. Publishing servers are all Win2003 Standard R2 with latest security updates applied
    5. We have 5 app streaming servers running DFS which splits the file store \\content$ across each one and use the standard streaming
        method to push out the apps to TS
    6. Users logon to TS with roaming profiles - workstations use local profiles

    QUESTION: What could be an issue with the TS environment? anything in particular I should look for or be aware of?

    best regards,
    Gary

    Tuesday, September 15, 2009 2:59 PM