[2003] Locking down desktop?

[Guest nospam@nospam.com]

Hello

 

I'm no Windows Server expect, and need to lock down the TS

desktop users see when connecting. This is actually a server that

prospects use to evaluate our application, and all users will use the

same login/password.

 

Basically, I'd like to only have a single icon on the desktop to

launch our app, and a single item in the Start menu that says

"Disconnect", to make sure users really close the session so that the

next user doesn't see a running session.

 

In addition, I'd like to run a batch file after a user has logged out,

so as to put pristine data back, in case the previous user has left

some identifying information.

 

According to Google, it looks like all this is done through the Group

Policy Editor (English translation mine), but there are so many

options in the Computer and User sections, that I don't know what to

do.

 

Could someone tell me how to get a bare TS desktop?

 

Thank you.

[Guest Gilles Ganault]

Re: [2003] Locking down desktop?

 

On Sat, 28 Jun 2008 14:23:09 +0200, "nospam@nospam.com" <Gilles>

wrote:

>According to Google, it looks like all this is done through the Group

>Policy Editor (English translation mine), but there are so many

>options in the Computer and User sections, that I don't know what to

>do.

 

I could make changes using gpedit.msc, but how can set those for a

given user, and not affect other user?

 

Thank you.

[Guest moncho]

Re: [2003] Locking down desktop?

 

Gilles Ganault wrote:

> On Sat, 28 Jun 2008 14:23:09 +0200, "nospam@nospam.com" <Gilles>

> wrote:

>> According to Google, it looks like all this is done through the Group

>> Policy Editor (English translation mine), but there are so many

>> options in the Computer and User sections, that I don't know what to

>> do.

>

> I could make changes using gpedit.msc, but how can set those for a

> given user, and not affect other user?

>

> Thank you.

 

You can try looking at http://www.sessioncomputing.com/security.htm

and see what will apply to your situation. In this document

there is a third party app to help you lock down TS.

 

I understand that your systems in a workgroup but you have MUCH

more flexibility if it was in an A/D.

 

moncho

[Guest Gilles Ganault]

Re: [2003] Locking down desktop?

 

On Mon, 30 Jun 2008 08:07:12 -0400, moncho <moncho@NOspmanywhere.com>

wrote:

>I understand that your systems in a workgroup but you have MUCH

>more flexibility if it was in an A/D.

 

I know, but the Powers that be don't want this server to run AD. Don't

ask :)

 

What I really want, is that this user will just have a bare,

unmodifiable desktop where he can only click on a shortcut on the

desktop, and click on LogOff in the Start menu.

 

I could do this through the Group Policy Editor (gpedit.msc, through

its Computer/User sections), but those apply to all users, not just

this single TS user.

 

Thank you.

[Guest Vera Noest [MVP]]

Re: [2003] Locking down desktop?

 

Gilles Ganault <nospam@nospam.com> wrote on 01 jul 2008 in

microsoft.public.windows.terminal_services:

> On Mon, 30 Jun 2008 08:07:12 -0400, moncho

> <moncho@NOspmanywhere.com> wrote:

>>I understand that your systems in a workgroup but you have MUCH

>>more flexibility if it was in an A/D.

>

> I know, but the Powers that be don't want this server to run AD.

> Don't ask :)

>

> What I really want, is that this user will just have a bare,

> unmodifiable desktop where he can only click on a shortcut on

> the desktop, and click on LogOff in the Start menu.

>

> I could do this through the Group Policy Editor (gpedit.msc,

> through its Computer/User sections), but those apply to all

> users, not just this single TS user.

 

That's one of the major draw-backs of a local policy, there is no

easy way to use security filtering.

There's a workaround, but be careful when implementing it, you can

easily lock yourself out of the system. Make sure you have a full

backup before using this method:

 

How can I lock down my standalone TS with a local policy without

locking down the Administrator account?

http://ts.veranoest.net/ts_faq_configuration.htm#local_policy

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___