none
Disabling explorer.exe for non domain admin users

    Question

  • Good evening,

    I am running a Citrix XenApp environment and I need to disable explorer.exe from running for non domain admin users. My team and I have discovered that exporer.exe can be accessed by any app that is being used by the end user and therefore can grant that user access to the XenApp server interface--this is a BIG NO NO!

    The users do not have admin rights when in explorer.exe but they can shutdown the server. I can disable a few areas such as the taskmgr, regedit, windows+x, and I can prevent the user from shutting down the system by only allowing them to log off, and prevent them from making changes to desktop icons, but it would be much preferred to stick it to user and not allow them to access the XenApp server interface at all,

    I have tested changing the shell for explorer.exe from explorer.exe to iexplorer.exe and this worked fine (it only displayed the desktop wallpaper for the logged on user), but the change was not reversible. Luckily, I took a snapshot of my virtual test system before hand. 

    Is there a way to prevent Windows Explorer from running for all non domain admins and also so that the local administrator account is not affected by the change as well? 

    Thanks in advance,

    Monday, February 16, 2015 1:23 AM

Answers

  • Hi,

    >>Is there a way to prevent Windows Explorer from running for all non domain admins and also so that the local administrator account is not affected by the change as well?

    Yes, but we don't recommend that we do this, for explorer.exe provides a graphical user interface for accessing the file systems. If we really want to do this, we can use software restriction policy to restrict the exe from running for domain users.

    >> but it would be much preferred to stick it to user and not allow them to access the XenApp server interface at all,

    Here, it's recommended that we contact Citrix support to check if they can provide some suggestions other than disabling explore.exe to achieve this.

    Citrix Support

    http://www.citrix.com/support.html

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Wednesday, February 18, 2015 1:54 AM
    Moderator
  • > Yes, but we don't recommend that we do this, for explorer.exe provides a
    > graphical user interface for accessing the file systems. If we really
    > want to do this, we can use software restriction policy to restrict the
    > exe from running for domain users.
     
    Why don't "we" recommend to do so, if "we" indeed provide a GP setting
    to replace the shell? SCNR :)
     
     
    Since this is a user policy, it can easily be applied to a selected
    group of users, or even with different shells to different groups of users.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 23, 2015 4:19 PM

All replies

  • Can anyone suggest anything for this?

    Thanks,

    Tuesday, February 17, 2015 4:56 PM
  • Hi,

    >>Is there a way to prevent Windows Explorer from running for all non domain admins and also so that the local administrator account is not affected by the change as well?

    Yes, but we don't recommend that we do this, for explorer.exe provides a graphical user interface for accessing the file systems. If we really want to do this, we can use software restriction policy to restrict the exe from running for domain users.

    >> but it would be much preferred to stick it to user and not allow them to access the XenApp server interface at all,

    Here, it's recommended that we contact Citrix support to check if they can provide some suggestions other than disabling explore.exe to achieve this.

    Citrix Support

    http://www.citrix.com/support.html

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Wednesday, February 18, 2015 1:54 AM
    Moderator
  • > Yes, but we don't recommend that we do this, for explorer.exe provides a
    > graphical user interface for accessing the file systems. If we really
    > want to do this, we can use software restriction policy to restrict the
    > exe from running for domain users.
     
    Why don't "we" recommend to do so, if "we" indeed provide a GP setting
    to replace the shell? SCNR :)
     
     
    Since this is a user policy, it can easily be applied to a selected
    group of users, or even with different shells to different groups of users.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 23, 2015 4:19 PM
  • Hi Martin,

    I am glad to have your comments. The reason why I said it's not recommended is that in case that we disable the interface but not replace it, then the users will not be able to see a graphical user interface.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, March 2, 2015 8:21 AM
    Moderator