Guest Eli Posted August 4, 2008 Posted August 4, 2008 Windows 2008 SP1 How can I prohibit users to login on the server thru a regular RDP session while allowing them to use RemoteApp and WebAccess?
Guest Jeff Pitsch Posted August 4, 2008 Posted August 4, 2008 Re: Restricting users to login on the server. I don't think you can. Your best bet is to completely lock down the desktop so that only the start menu and logoff button are available. If the users can't do anything then they won't be tempted to go to the desktop. This is very easy to do by the way with Group Policy. Jeff Pitsch Microsoft MVP - Terminal Services "Eli" <eli@newsgroup.nospam> wrote in message news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com... > Windows 2008 SP1 > How can I prohibit users to login on the server thru a regular RDP session > while allowing them to use RemoteApp and WebAccess? >
Guest Eli Posted August 4, 2008 Posted August 4, 2008 Re: Restricting users to login on the server. Then what's the point of RemoteApp if one can just login to terminal server itself and use applications on it? "Jeff Pitsch" wrote: > I don't think you can. Your best bet is to completely lock down the desktop > so that only the start menu and logoff button are available. If the users > can't do anything then they won't be tempted to go to the desktop. This is > very easy to do by the way with Group Policy. > > Jeff Pitsch > Microsoft MVP - Terminal Services > > > "Eli" <eli@newsgroup.nospam> wrote in message > news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com... > > Windows 2008 SP1 > > How can I prohibit users to login on the server thru a regular RDP session > > while allowing them to use RemoteApp and WebAccess? > > > > >
Guest Jeff Pitsch Posted August 4, 2008 Posted August 4, 2008 Re: Restricting users to login on the server. The same as it for citrix or any other TS vendor. It's a very simple matter to lock down the desktop and the advantages of remote apps are pretty clear especially if your planningo n using them. Now I may be wrong and there may be a way of disabling getting to the desktop but I don't think there is. Jeff Pitsch Microsoft MVP - Terminal Services "Eli" <eli@newsgroup.nospam> wrote in message news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com... > Then what's the point of RemoteApp if one can just login to terminal > server > itself and use applications on it? > > > "Jeff Pitsch" wrote: > >> I don't think you can. Your best bet is to completely lock down the >> desktop >> so that only the start menu and logoff button are available. If the >> users >> can't do anything then they won't be tempted to go to the desktop. This >> is >> very easy to do by the way with Group Policy. >> >> Jeff Pitsch >> Microsoft MVP - Terminal Services >> >> >> "Eli" <eli@newsgroup.nospam> wrote in message >> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com... >> > Windows 2008 SP1 >> > How can I prohibit users to login on the server thru a regular RDP >> > session >> > while allowing them to use RemoteApp and WebAccess? >> > >> >> >>
Guest Eli Posted August 4, 2008 Posted August 4, 2008 Re: Restricting users to login on the server. let's wait, maybe someone from microsoft will answer it. "Jeff Pitsch" wrote: > The same as it for citrix or any other TS vendor. It's a very simple matter > to lock down the desktop and the advantages of remote apps are pretty clear > especially if your planningo n using them. Now I may be wrong and there may > be a way of disabling getting to the desktop but I don't think there is. > > Jeff Pitsch > Microsoft MVP - Terminal Services > > > "Eli" <eli@newsgroup.nospam> wrote in message > news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com... > > Then what's the point of RemoteApp if one can just login to terminal > > server > > itself and use applications on it? > > > > > > "Jeff Pitsch" wrote: > > > >> I don't think you can. Your best bet is to completely lock down the > >> desktop > >> so that only the start menu and logoff button are available. If the > >> users > >> can't do anything then they won't be tempted to go to the desktop. This > >> is > >> very easy to do by the way with Group Policy. > >> > >> Jeff Pitsch > >> Microsoft MVP - Terminal Services > >> > >> > >> "Eli" <eli@newsgroup.nospam> wrote in message > >> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com... > >> > Windows 2008 SP1 > >> > How can I prohibit users to login on the server thru a regular RDP > >> > session > >> > while allowing them to use RemoteApp and WebAccess? > >> > > >> > >> > >> > > >
Guest Morgan che Posted August 5, 2008 Posted August 5, 2008 Re: Restricting users to login on the server. Hi, Thanks for using this newsgroup. As Jeff' said, we can't prohibit users to login to the server via a RDP session while allowing them to login via RemoteApp and WebAccess. You can understand these three methods are just different interfaces to access resources on Terminal server. Indeed, the three methods use the same authorization mechanism, the way of establishing connection between client and Terminal server and require the same permissions to logon to Terminal server. Moreover, Windows doesn't provide a function that can restrict RDP access while allowing RemoteApp and WebAccess access. Could you please inform me why you want to prohibit users to login to the server via a RDP session while allowing them to login via RemoteApp and WebAccess? I will check if there is any feasible method to satisfy your needs. Thanks. Sincerely Morgan Che Microsoft Online Support Microsoft Global Technical Support Center Get Secure! - http://www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- --->Thread-Topic: Restricting users to login on the server. --->thread-index: Acj2alGkDlhWZ+GbRDuFTZhDMExcaQ== --->X-WBNR-Posting-Host: 207.46.19.168 --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> --->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com> <eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl> <043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com> <O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl> --->Subject: Re: Restricting users to login on the server. --->Date: Mon, 4 Aug 2008 12:43:07 -0700 --->Lines: 47 --->Message-ID: <FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com> --->MIME-Version: 1.0 --->Content-Type: text/plain; ---> charset="Utf-8" --->Content-Transfer-Encoding: 7bit --->X-Newsreader: Microsoft CDO for Windows 2000 --->Content-Class: urn:content-classes:message --->Importance: normal --->Priority: normal --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119 --->Newsgroups: microsoft.public.windows.terminal_services --->Path: TK2MSFTNGHUB02.phx.gbl --->Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.terminal_services:19658 --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149 --->X-Tomcat-NG: microsoft.public.windows.terminal_services ---> --->let's wait, maybe someone from microsoft will answer it. ---> --->"Jeff Pitsch" wrote: ---> --->> The same as it for citrix or any other TS vendor. It's a very simple matter --->> to lock down the desktop and the advantages of remote apps are pretty clear --->> especially if your planningo n using them. Now I may be wrong and there may --->> be a way of disabling getting to the desktop but I don't think there is. --->> --->> Jeff Pitsch --->> Microsoft MVP - Terminal Services --->> --->> --->> "Eli" <eli@newsgroup.nospam> wrote in message --->> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com... --->> > Then what's the point of RemoteApp if one can just login to terminal --->> > server --->> > itself and use applications on it? --->> > --->> > --->> > "Jeff Pitsch" wrote: --->> > --->> >> I don't think you can. Your best bet is to completely lock down the --->> >> desktop --->> >> so that only the start menu and logoff button are available. If the --->> >> users --->> >> can't do anything then they won't be tempted to go to the desktop. This --->> >> is --->> >> very easy to do by the way with Group Policy. --->> >> --->> >> Jeff Pitsch --->> >> Microsoft MVP - Terminal Services --->> >> --->> >> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message --->> >> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com... --->> >> > Windows 2008 SP1 --->> >> > How can I prohibit users to login on the server thru a regular RDP --->> >> > session --->> >> > while allowing them to use RemoteApp and WebAccess? --->> >> > --->> >> --->> >> --->> >> --->> --->> --->> --->
Guest Eli Posted August 5, 2008 Posted August 5, 2008 Re: Restricting users to login on the server. i don't want them to use anything else on the server or the server itself. like any other software that is installed, but not published to remoteapp/webaccess. or browsing internet, etc. or saving "Morgan che(MSFT)" wrote: > Hi, > > Thanks for using this newsgroup. > > As Jeff' said, we can't prohibit users to login to the server via a RDP > session while allowing them to login via RemoteApp and WebAccess. > > You can understand these three methods are just different interfaces to > access resources on Terminal server. Indeed, the three methods use the same > authorization mechanism, the way of establishing connection between client > and Terminal server and require the same permissions to logon to Terminal > server. Moreover, Windows doesn't provide a function that can restrict RDP > access while allowing RemoteApp and WebAccess access. > > Could you please inform me why you want to prohibit users to login to the > server via a RDP session while allowing them to login via RemoteApp and > WebAccess? I will check if there is any feasible method to satisfy your > needs. > > Thanks. > > > Sincerely > Morgan Che > Microsoft Online Support > Microsoft Global Technical Support Center > > Get Secure! - http://www.microsoft.com/security > ===================================================== > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > ===================================================== > This posting is provided "AS IS" with no warranties, and confers no rights. > > > -------------------- > --->Thread-Topic: Restricting users to login on the server. > --->thread-index: Acj2alGkDlhWZ+GbRDuFTZhDMExcaQ== > --->X-WBNR-Posting-Host: 207.46.19.168 > --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> > --->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com> > <eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl> > <043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com> > <O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl> > --->Subject: Re: Restricting users to login on the server. > --->Date: Mon, 4 Aug 2008 12:43:07 -0700 > --->Lines: 47 > --->Message-ID: <FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com> > --->MIME-Version: 1.0 > --->Content-Type: text/plain; > ---> charset="Utf-8" > --->Content-Transfer-Encoding: 7bit > --->X-Newsreader: Microsoft CDO for Windows 2000 > --->Content-Class: urn:content-classes:message > --->Importance: normal > --->Priority: normal > --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119 > --->Newsgroups: microsoft.public.windows.terminal_services > --->Path: TK2MSFTNGHUB02.phx.gbl > --->Xref: TK2MSFTNGHUB02.phx.gbl > microsoft.public.windows.terminal_services:19658 > --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149 > --->X-Tomcat-NG: microsoft.public.windows.terminal_services > ---> > --->let's wait, maybe someone from microsoft will answer it. > ---> > --->"Jeff Pitsch" wrote: > ---> > --->> The same as it for citrix or any other TS vendor. It's a very simple > matter > --->> to lock down the desktop and the advantages of remote apps are pretty > clear > --->> especially if your planningo n using them. Now I may be wrong and > there may > --->> be a way of disabling getting to the desktop but I don't think there > is. > --->> > --->> Jeff Pitsch > --->> Microsoft MVP - Terminal Services > --->> > --->> > --->> "Eli" <eli@newsgroup.nospam> wrote in message > --->> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com... > --->> > Then what's the point of RemoteApp if one can just login to > terminal > --->> > server > --->> > itself and use applications on it? > --->> > > --->> > > --->> > "Jeff Pitsch" wrote: > --->> > > --->> >> I don't think you can. Your best bet is to completely lock down > the > --->> >> desktop > --->> >> so that only the start menu and logoff button are available. If > the > --->> >> users > --->> >> can't do anything then they won't be tempted to go to the desktop. > This > --->> >> is > --->> >> very easy to do by the way with Group Policy. > --->> >> > --->> >> Jeff Pitsch > --->> >> Microsoft MVP - Terminal Services > --->> >> > --->> >> > --->> >> "Eli" <eli@newsgroup.nospam> wrote in message > --->> >> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com... > --->> >> > Windows 2008 SP1 > --->> >> > How can I prohibit users to login on the server thru a regular > RDP > --->> >> > session > --->> >> > while allowing them to use RemoteApp and WebAccess? > --->> >> > > --->> >> > --->> >> > --->> >> > --->> > --->> > --->> > ---> > >
Guest Jeff Pitsch Posted August 5, 2008 Posted August 5, 2008 Re: Restricting users to login on the server. As I said, very very easily done using Group Policy. They won't be able to do anything if they decide to hit a desktop because all they will have is a logoff button. I agree it would be nice to deny desktops but we have to live with the cards we're dealt. Jeff Pitsch Microsoft MVP - Terminal Services "Eli" <eli@newsgroup.nospam> wrote in message news:C0BA6866-B740-4E2A-88DC-8EB6DDAEF8AD@microsoft.com... >i don't want them to use anything else on the server or the server itself. > like any other software that is installed, but not published to > remoteapp/webaccess. > or browsing internet, etc. > or saving > > "Morgan che(MSFT)" wrote: > >> Hi, >> >> Thanks for using this newsgroup. >> >> As Jeff' said, we can't prohibit users to login to the server via a RDP >> session while allowing them to login via RemoteApp and WebAccess. >> >> You can understand these three methods are just different interfaces to >> access resources on Terminal server. Indeed, the three methods use the >> same >> authorization mechanism, the way of establishing connection between >> client >> and Terminal server and require the same permissions to logon to Terminal >> server. Moreover, Windows doesn't provide a function that can restrict >> RDP >> access while allowing RemoteApp and WebAccess access. >> >> Could you please inform me why you want to prohibit users to login to the >> server via a RDP session while allowing them to login via RemoteApp and >> WebAccess? I will check if there is any feasible method to satisfy your >> needs. >> >> Thanks. >> >> >> Sincerely >> Morgan Che >> Microsoft Online Support >> Microsoft Global Technical Support Center >> >> Get Secure! - http://www.microsoft.com/security >> ===================================================== >> When responding to posts, please "Reply to Group" via your newsreader so >> that others may learn and benefit from your issue. >> ===================================================== >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> >> >> -------------------- >> --->Thread-Topic: Restricting users to login on the server. >> --->thread-index: Acj2alGkDlhWZ+GbRDuFTZhDMExcaQ== >> --->X-WBNR-Posting-Host: 207.46.19.168 >> --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> >> --->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com> >> <eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl> >> <043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com> >> <O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl> >> --->Subject: Re: Restricting users to login on the server. >> --->Date: Mon, 4 Aug 2008 12:43:07 -0700 >> --->Lines: 47 >> --->Message-ID: <FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com> >> --->MIME-Version: 1.0 >> --->Content-Type: text/plain; >> ---> charset="Utf-8" >> --->Content-Transfer-Encoding: 7bit >> --->X-Newsreader: Microsoft CDO for Windows 2000 >> --->Content-Class: urn:content-classes:message >> --->Importance: normal >> --->Priority: normal >> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119 >> --->Newsgroups: microsoft.public.windows.terminal_services >> --->Path: TK2MSFTNGHUB02.phx.gbl >> --->Xref: TK2MSFTNGHUB02.phx.gbl >> microsoft.public.windows.terminal_services:19658 >> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149 >> --->X-Tomcat-NG: microsoft.public.windows.terminal_services >> ---> >> --->let's wait, maybe someone from microsoft will answer it. >> ---> >> --->"Jeff Pitsch" wrote: >> ---> >> --->> The same as it for citrix or any other TS vendor. It's a very >> simple >> matter >> --->> to lock down the desktop and the advantages of remote apps are >> pretty >> clear >> --->> especially if your planningo n using them. Now I may be wrong and >> there may >> --->> be a way of disabling getting to the desktop but I don't think >> there >> is. >> --->> >> --->> Jeff Pitsch >> --->> Microsoft MVP - Terminal Services >> --->> >> --->> >> --->> "Eli" <eli@newsgroup.nospam> wrote in message >> --->> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com... >> --->> > Then what's the point of RemoteApp if one can just login to >> terminal >> --->> > server >> --->> > itself and use applications on it? >> --->> > >> --->> > >> --->> > "Jeff Pitsch" wrote: >> --->> > >> --->> >> I don't think you can. Your best bet is to completely lock down >> the >> --->> >> desktop >> --->> >> so that only the start menu and logoff button are available. If >> the >> --->> >> users >> --->> >> can't do anything then they won't be tempted to go to the >> desktop. >> This >> --->> >> is >> --->> >> very easy to do by the way with Group Policy. >> --->> >> >> --->> >> Jeff Pitsch >> --->> >> Microsoft MVP - Terminal Services >> --->> >> >> --->> >> >> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message >> --->> >> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com... >> --->> >> > Windows 2008 SP1 >> --->> >> > How can I prohibit users to login on the server thru a regular >> RDP >> --->> >> > session >> --->> >> > while allowing them to use RemoteApp and WebAccess? >> --->> >> > >> --->> >> >> --->> >> >> --->> >> >> --->> >> --->> >> --->> >> ---> >> >>
Guest Morgan che Posted August 6, 2008 Posted August 6, 2008 Re: Restricting users to login on the server. Hi, Thanks for posting back. If so, you can use "start a program on connection" policy to configures Terminal Services to run a specified program automatically upon connection, which locates under User configuration \Administrative Templates\ Windows components\ Terminal server\ Start a program on connection. By default, Terminal Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. If the status is set to Enabled, Terminal Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program. If the status is set to Disabled or Not Configured, Terminal Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) Note: This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. Please check it to see if it meets your demands. Thanks. Sincerely Morgan Che Microsoft Online Support Microsoft Global Technical Support Center Get Secure! - http://www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- --->Thread-Topic: Restricting users to login on the server. --->thread-index: Acj3AMLcaENo1VURQDOUteSukpdmJw== --->X-WBNR-Posting-Host: 207.46.19.197 --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> --->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com> <eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl> <043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com> <O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl> <FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com> <jVBu1Pt9IHA.3476@TK2MSFTNGHUB02.phx.gbl> --->Subject: Re: Restricting users to login on the server. --->Date: Tue, 5 Aug 2008 06:40:02 -0700 --->Lines: 131 --->Message-ID: <C0BA6866-B740-4E2A-88DC-8EB6DDAEF8AD@microsoft.com> --->MIME-Version: 1.0 --->Content-Type: text/plain; ---> charset="Utf-8" --->Content-Transfer-Encoding: 7bit --->X-Newsreader: Microsoft CDO for Windows 2000 --->Content-Class: urn:content-classes:message --->Importance: normal --->Priority: normal --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119 --->Newsgroups: microsoft.public.windows.terminal_services --->Path: TK2MSFTNGHUB02.phx.gbl --->Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.terminal_services:19680 --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149 --->X-Tomcat-NG: microsoft.public.windows.terminal_services ---> --->i don't want them to use anything else on the server or the server itself. --->like any other software that is installed, but not published to --->remoteapp/webaccess. --->or browsing internet, etc. --->or saving ---> --->"Morgan che(MSFT)" wrote: ---> --->> Hi, --->> --->> Thanks for using this newsgroup. --->> --->> As Jeff' said, we can't prohibit users to login to the server via a RDP --->> session while allowing them to login via RemoteApp and WebAccess. --->> --->> You can understand these three methods are just different interfaces to --->> access resources on Terminal server. Indeed, the three methods use the same --->> authorization mechanism, the way of establishing connection between client --->> and Terminal server and require the same permissions to logon to Terminal --->> server. Moreover, Windows doesn't provide a function that can restrict RDP --->> access while allowing RemoteApp and WebAccess access. --->> --->> Could you please inform me why you want to prohibit users to login to the --->> server via a RDP session while allowing them to login via RemoteApp and --->> WebAccess? I will check if there is any feasible method to satisfy your --->> needs. --->> --->> Thanks. --->> --->> --->> Sincerely --->> Morgan Che --->> Microsoft Online Support --->> Microsoft Global Technical Support Center --->> --->> Get Secure! - http://www.microsoft.com/security --->> ===================================================== --->> When responding to posts, please "Reply to Group" via your newsreader so --->> that others may learn and benefit from your issue. --->> ===================================================== --->> This posting is provided "AS IS" with no warranties, and confers no rights. --->> --->> --->> -------------------- --->> --->Thread-Topic: Restricting users to login on the server. --->> --->thread-index: Acj2alGkDlhWZ+GbRDuFTZhDMExcaQ== --->> --->X-WBNR-Posting-Host: 207.46.19.168 --->> --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> --->> --->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com> --->> <eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl> --->> <043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com> --->> <O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl> --->> --->Subject: Re: Restricting users to login on the server. --->> --->Date: Mon, 4 Aug 2008 12:43:07 -0700 --->> --->Lines: 47 --->> --->Message-ID: <FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com> --->> --->MIME-Version: 1.0 --->> --->Content-Type: text/plain; --->> ---> charset="Utf-8" --->> --->Content-Transfer-Encoding: 7bit --->> --->X-Newsreader: Microsoft CDO for Windows 2000 --->> --->Content-Class: urn:content-classes:message --->> --->Importance: normal --->> --->Priority: normal --->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119 --->> --->Newsgroups: microsoft.public.windows.terminal_services --->> --->Path: TK2MSFTNGHUB02.phx.gbl --->> --->Xref: TK2MSFTNGHUB02.phx.gbl --->> microsoft.public.windows.terminal_services:19658 --->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149 --->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services --->> ---> --->> --->let's wait, maybe someone from microsoft will answer it. --->> ---> --->> --->"Jeff Pitsch" wrote: --->> ---> --->> --->> The same as it for citrix or any other TS vendor. It's a very simple --->> matter --->> --->> to lock down the desktop and the advantages of remote apps are pretty --->> clear --->> --->> especially if your planningo n using them. Now I may be wrong and --->> there may --->> --->> be a way of disabling getting to the desktop but I don't think there --->> is. --->> --->> --->> --->> Jeff Pitsch --->> --->> Microsoft MVP - Terminal Services --->> --->> --->> --->> --->> --->> "Eli" <eli@newsgroup.nospam> wrote in message --->> --->> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com... --->> --->> > Then what's the point of RemoteApp if one can just login to --->> terminal --->> --->> > server --->> --->> > itself and use applications on it? --->> --->> > --->> --->> > --->> --->> > "Jeff Pitsch" wrote: --->> --->> > --->> --->> >> I don't think you can. Your best bet is to completely lock down --->> the --->> --->> >> desktop --->> --->> >> so that only the start menu and logoff button are available. If --->> the --->> --->> >> users --->> --->> >> can't do anything then they won't be tempted to go to the desktop. --->> This --->> --->> >> is --->> --->> >> very easy to do by the way with Group Policy. --->> --->> >> --->> --->> >> Jeff Pitsch --->> --->> >> Microsoft MVP - Terminal Services --->> --->> >> --->> --->> >> --->> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message --->> --->> >> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com... --->> --->> >> > Windows 2008 SP1 --->> --->> >> > How can I prohibit users to login on the server thru a regular --->> RDP --->> --->> >> > session --->> --->> >> > while allowing them to use RemoteApp and WebAccess? --->> --->> >> > --->> --->> >> --->> --->> >> --->> --->> >> --->> --->> --->> --->> --->> --->> --->> ---> --->> --->> --->
Guest Morgan che Posted August 14, 2008 Posted August 14, 2008 Re: Restricting users to login on the server. Hi, I am wirting to see how evertything is going? Have this issue been sovled or you need further assistance? please feel free to let me know. Sincerely Morgan Che Microsoft Online Support Microsoft Global Technical Support Center Get Secure! - http://www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- --->Thread-Topic: Restricting users to login on the server. --->thread-index: Acj3AMLcaENo1VURQDOUteSukpdmJw== --->X-WBNR-Posting-Host: 207.46.19.197 --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> --->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com> <eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl> <043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com> <O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl> <FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com> <jVBu1Pt9IHA.3476@TK2MSFTNGHUB02.phx.gbl> --->Subject: Re: Restricting users to login on the server. --->Date: Tue, 5 Aug 2008 06:40:02 -0700 --->Lines: 131 --->Message-ID: <C0BA6866-B740-4E2A-88DC-8EB6DDAEF8AD@microsoft.com> --->MIME-Version: 1.0 --->Content-Type: text/plain; ---> charset="Utf-8" --->Content-Transfer-Encoding: 7bit --->X-Newsreader: Microsoft CDO for Windows 2000 --->Content-Class: urn:content-classes:message --->Importance: normal --->Priority: normal --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119 --->Newsgroups: microsoft.public.windows.terminal_services --->Path: TK2MSFTNGHUB02.phx.gbl --->Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.terminal_services:19680 --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149 --->X-Tomcat-NG: microsoft.public.windows.terminal_services ---> --->i don't want them to use anything else on the server or the server itself. --->like any other software that is installed, but not published to --->remoteapp/webaccess. --->or browsing internet, etc. --->or saving ---> --->"Morgan che(MSFT)" wrote: ---> --->> Hi, --->> --->> Thanks for using this newsgroup. --->> --->> As Jeff' said, we can't prohibit users to login to the server via a RDP --->> session while allowing them to login via RemoteApp and WebAccess. --->> --->> You can understand these three methods are just different interfaces to --->> access resources on Terminal server. Indeed, the three methods use the same --->> authorization mechanism, the way of establishing connection between client --->> and Terminal server and require the same permissions to logon to Terminal --->> server. Moreover, Windows doesn't provide a function that can restrict RDP --->> access while allowing RemoteApp and WebAccess access. --->> --->> Could you please inform me why you want to prohibit users to login to the --->> server via a RDP session while allowing them to login via RemoteApp and --->> WebAccess? I will check if there is any feasible method to satisfy your --->> needs. --->> --->> Thanks. --->> --->> --->> Sincerely --->> Morgan Che --->> Microsoft Online Support --->> Microsoft Global Technical Support Center --->> --->> Get Secure! - http://www.microsoft.com/security --->> ===================================================== --->> When responding to posts, please "Reply to Group" via your newsreader so --->> that others may learn and benefit from your issue. --->> ===================================================== --->> This posting is provided "AS IS" with no warranties, and confers no rights. --->> --->> --->> -------------------- --->> --->Thread-Topic: Restricting users to login on the server. --->> --->thread-index: Acj2alGkDlhWZ+GbRDuFTZhDMExcaQ== --->> --->X-WBNR-Posting-Host: 207.46.19.168 --->> --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> --->> --->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com> --->> <eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl> --->> <043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com> --->> <O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl> --->> --->Subject: Re: Restricting users to login on the server. --->> --->Date: Mon, 4 Aug 2008 12:43:07 -0700 --->> --->Lines: 47 --->> --->Message-ID: <FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com> --->> --->MIME-Version: 1.0 --->> --->Content-Type: text/plain; --->> ---> charset="Utf-8" --->> --->Content-Transfer-Encoding: 7bit --->> --->X-Newsreader: Microsoft CDO for Windows 2000 --->> --->Content-Class: urn:content-classes:message --->> --->Importance: normal --->> --->Priority: normal --->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119 --->> --->Newsgroups: microsoft.public.windows.terminal_services --->> --->Path: TK2MSFTNGHUB02.phx.gbl --->> --->Xref: TK2MSFTNGHUB02.phx.gbl --->> microsoft.public.windows.terminal_services:19658 --->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149 --->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services --->> ---> --->> --->let's wait, maybe someone from microsoft will answer it. --->> ---> --->> --->"Jeff Pitsch" wrote: --->> ---> --->> --->> The same as it for citrix or any other TS vendor. It's a very simple --->> matter --->> --->> to lock down the desktop and the advantages of remote apps are pretty --->> clear --->> --->> especially if your planningo n using them. Now I may be wrong and --->> there may --->> --->> be a way of disabling getting to the desktop but I don't think there --->> is. --->> --->> --->> --->> Jeff Pitsch --->> --->> Microsoft MVP - Terminal Services --->> --->> --->> --->> --->> --->> "Eli" <eli@newsgroup.nospam> wrote in message --->> --->> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com... --->> --->> > Then what's the point of RemoteApp if one can just login to --->> terminal --->> --->> > server --->> --->> > itself and use applications on it? --->> --->> > --->> --->> > --->> --->> > "Jeff Pitsch" wrote: --->> --->> > --->> --->> >> I don't think you can. Your best bet is to completely lock down --->> the --->> --->> >> desktop --->> --->> >> so that only the start menu and logoff button are available. If --->> the --->> --->> >> users --->> --->> >> can't do anything then they won't be tempted to go to the desktop. --->> This --->> --->> >> is --->> --->> >> very easy to do by the way with Group Policy. --->> --->> >> --->> --->> >> Jeff Pitsch --->> --->> >> Microsoft MVP - Terminal Services --->> --->> >> --->> --->> >> --->> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message --->> --->> >> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com... --->> --->> >> > Windows 2008 SP1 --->> --->> >> > How can I prohibit users to login on the server thru a regular --->> RDP --->> --->> >> > session --->> --->> >> > while allowing them to use RemoteApp and WebAccess? --->> --->> >> > --->> --->> >> --->> --->> >> --->> --->> >> --->> --->> --->> --->> --->> --->> --->> ---> --->> --->> --->
Guest Eli Posted August 18, 2008 Posted August 18, 2008 Re: Restricting users to login on the server. Thanks for the advice. I created new GPO for the OU where all TS people reside Used "start a program on connection" policy, and included there “%SystemRoot%\system32\calc.exe" Now whoever is in that OU, when they login into TS thru RDP, they'll see only Calculator, which blocks access for them to everything else. And they can still use RemoteApps. "Morgan che(MSFT)" wrote: > Hi, > > I am wirting to see how evertything is going? > > Have this issue been sovled or you need further assistance? please feel > free to let me know. > > Sincerely > Morgan Che > Microsoft Online Support > Microsoft Global Technical Support Center > > Get Secure! - http://www.microsoft.com/security > ===================================================== > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > ===================================================== > This posting is provided "AS IS" with no warranties, and confers no rights. > > > -------------------- > --->Thread-Topic: Restricting users to login on the server. > --->thread-index: Acj3AMLcaENo1VURQDOUteSukpdmJw== > --->X-WBNR-Posting-Host: 207.46.19.197 > --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> > --->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com> > <eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl> > <043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com> > <O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl> > <FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com> > <jVBu1Pt9IHA.3476@TK2MSFTNGHUB02.phx.gbl> > --->Subject: Re: Restricting users to login on the server. > --->Date: Tue, 5 Aug 2008 06:40:02 -0700 > --->Lines: 131 > --->Message-ID: <C0BA6866-B740-4E2A-88DC-8EB6DDAEF8AD@microsoft.com> > --->MIME-Version: 1.0 > --->Content-Type: text/plain; > ---> charset="Utf-8" > --->Content-Transfer-Encoding: 7bit > --->X-Newsreader: Microsoft CDO for Windows 2000 > --->Content-Class: urn:content-classes:message > --->Importance: normal > --->Priority: normal > --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119 > --->Newsgroups: microsoft.public.windows.terminal_services > --->Path: TK2MSFTNGHUB02.phx.gbl > --->Xref: TK2MSFTNGHUB02.phx.gbl > microsoft.public.windows.terminal_services:19680 > --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149 > --->X-Tomcat-NG: microsoft.public.windows.terminal_services > ---> > --->i don't want them to use anything else on the server or the server > itself. > --->like any other software that is installed, but not published to > --->remoteapp/webaccess. > --->or browsing internet, etc. > --->or saving > ---> > --->"Morgan che(MSFT)" wrote: > ---> > --->> Hi, > --->> > --->> Thanks for using this newsgroup. > --->> > --->> As Jeff' said, we can't prohibit users to login to the server via a > RDP > --->> session while allowing them to login via RemoteApp and WebAccess. > --->> > --->> You can understand these three methods are just different interfaces > to > --->> access resources on Terminal server. Indeed, the three methods use > the same > --->> authorization mechanism, the way of establishing connection between > client > --->> and Terminal server and require the same permissions to logon to > Terminal > --->> server. Moreover, Windows doesn't provide a function that can > restrict RDP > --->> access while allowing RemoteApp and WebAccess access. > --->> > --->> Could you please inform me why you want to prohibit users to login to > the > --->> server via a RDP session while allowing them to login via RemoteApp > and > --->> WebAccess? I will check if there is any feasible method to satisfy > your > --->> needs. > --->> > --->> Thanks. > --->> > --->> > --->> Sincerely > --->> Morgan Che > --->> Microsoft Online Support > --->> Microsoft Global Technical Support Center > --->> > --->> Get Secure! - http://www.microsoft.com/security > --->> ===================================================== > --->> When responding to posts, please "Reply to Group" via your newsreader > so > --->> that others may learn and benefit from your issue. > --->> ===================================================== > --->> This posting is provided "AS IS" with no warranties, and confers no > rights. > --->> > --->> > --->> -------------------- > --->> --->Thread-Topic: Restricting users to login on the server. > --->> --->thread-index: Acj2alGkDlhWZ+GbRDuFTZhDMExcaQ== > --->> --->X-WBNR-Posting-Host: 207.46.19.168 > --->> --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> > --->> --->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com> > --->> <eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl> > --->> <043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com> > --->> <O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl> > --->> --->Subject: Re: Restricting users to login on the server. > --->> --->Date: Mon, 4 Aug 2008 12:43:07 -0700 > --->> --->Lines: 47 > --->> --->Message-ID: <FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com> > --->> --->MIME-Version: 1.0 > --->> --->Content-Type: text/plain; > --->> ---> charset="Utf-8" > --->> --->Content-Transfer-Encoding: 7bit > --->> --->X-Newsreader: Microsoft CDO for Windows 2000 > --->> --->Content-Class: urn:content-classes:message > --->> --->Importance: normal > --->> --->Priority: normal > --->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119 > --->> --->Newsgroups: microsoft.public.windows.terminal_services > --->> --->Path: TK2MSFTNGHUB02.phx.gbl > --->> --->Xref: TK2MSFTNGHUB02.phx.gbl > --->> microsoft.public.windows.terminal_services:19658 > --->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149 > --->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services > --->> ---> > --->> --->let's wait, maybe someone from microsoft will answer it. > --->> ---> > --->> --->"Jeff Pitsch" wrote: > --->> ---> > --->> --->> The same as it for citrix or any other TS vendor. It's a very > simple > --->> matter > --->> --->> to lock down the desktop and the advantages of remote apps are > pretty > --->> clear > --->> --->> especially if your planningo n using them. Now I may be wrong > and > --->> there may > --->> --->> be a way of disabling getting to the desktop but I don't think > there > --->> is. > --->> --->> > --->> --->> Jeff Pitsch > --->> --->> Microsoft MVP - Terminal Services > --->> --->> > --->> --->> > --->> --->> "Eli" <eli@newsgroup.nospam> wrote in message > --->> --->> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com... > --->> --->> > Then what's the point of RemoteApp if one can just login to > --->> terminal > --->> --->> > server > --->> --->> > itself and use applications on it? > --->> --->> > > --->> --->> > > --->> --->> > "Jeff Pitsch" wrote: > --->> --->> > > --->> --->> >> I don't think you can. Your best bet is to completely lock > down > --->> the > --->> --->> >> desktop > --->> --->> >> so that only the start menu and logoff button are available. > If > --->> the > --->> --->> >> users > --->> --->> >> can't do anything then they won't be tempted to go to the > desktop. > --->> This > --->> --->> >> is > --->> --->> >> very easy to do by the way with Group Policy. > --->> --->> >> > --->> --->> >> Jeff Pitsch > --->> --->> >> Microsoft MVP - Terminal Services > --->> --->> >> > --->> --->> >> > --->> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message > --->> --->> >> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com... > --->> --->> >> > Windows 2008 SP1 > --->> --->> >> > How can I prohibit users to login on the server thru a > regular > --->> RDP > --->> --->> >> > session > --->> --->> >> > while allowing them to use RemoteApp and WebAccess? > --->> --->> >> > > --->> --->> >> > --->> --->> >> > --->> --->> >> > --->> --->> > --->> --->> > --->> --->> > --->> ---> > --->> > --->> > ---> > >
Guest Vera Noest [MVP] Posted August 18, 2008 Posted August 18, 2008 Re: Restricting users to login on the server. Eli, you still have to lock down the server! It's a misunderstanding that configuring a starting application would keep the users out of the full desktop of the TS! It is very easy to get to the full desktop from within nearly every application, including Calculator. It's just a matter of time before your users will stumble it, even if they are not actively looking for it. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> wrote on 18 aug 2008 in microsoft.public.windows.terminal_services: > Thanks for the advice. > I created new GPO for the OU where all TS people reside > Used "start a program on connection" policy, and included there > “%SystemRoot%\system32\calc.exe" > Now whoever is in that OU, when they login into TS thru RDP, > they'll see only Calculator, which blocks access for them to > everything else. And they can still use RemoteApps. > > > "Morgan che(MSFT)" wrote: > >> Hi, >> >> I am wirting to see how evertything is going? >> >> Have this issue been sovled or you need further assistance? >> please feel free to let me know. >> >> Sincerely >> Morgan Che >> Microsoft Online Support >> Microsoft Global Technical Support Center >> >> >> -------------------- >> --->i don't want them to use anything else on the server or the >> server itself. >> --->like any other software that is installed, but not >> published to --->remoteapp/webaccess. >> --->or browsing internet, etc. >> --->or saving >> ---> >> --->"Morgan che(MSFT)" wrote: >> ---> >> --->> Hi, >> --->> >> --->> Thanks for using this newsgroup. >> --->> >> --->> As Jeff' said, we can't prohibit users to login to the >> server via a RDP >> --->> session while allowing them to login via RemoteApp and >> WebAccess. --->> >> --->> You can understand these three methods are just different >> interfaces to >> --->> access resources on Terminal server. Indeed, the three >> methods use the same >> --->> authorization mechanism, the way of establishing >> connection between client >> --->> and Terminal server and require the same permissions to >> logon to Terminal >> --->> server. Moreover, Windows doesn't provide a function that >> can restrict RDP >> --->> access while allowing RemoteApp and WebAccess access. >> --->> >> --->> Could you please inform me why you want to prohibit users >> to login to the >> --->> server via a RDP session while allowing them to login via >> RemoteApp and >> --->> WebAccess? I will check if there is any feasible method >> to satisfy your >> --->> needs. >> --->> >> --->> Thanks. >> --->> >> --->> >> --->> Sincerely >> --->> Morgan Che >> --->> Microsoft Online Support >> --->> Microsoft Global Technical Support Center >> --->> >> --->> -------------------- >> --->> --->Thread-Topic: Restricting users to login on the >> server. --->> --->thread-index: >> microsoft.public.windows.terminal_services --->> ---> >> --->> --->let's wait, maybe someone from microsoft will answer >> it. --->> ---> >> --->> --->"Jeff Pitsch" wrote: >> --->> ---> >> --->> --->> The same as it for citrix or any other TS vendor. >> It's a very simple >> --->> matter >> --->> --->> to lock down the desktop and the advantages of >> remote apps are pretty >> --->> clear >> --->> --->> especially if your planningo n using them. Now I >> may be wrong and >> --->> there may >> --->> --->> be a way of disabling getting to the desktop but I >> don't think there >> --->> is. >> --->> --->> >> --->> --->> Jeff Pitsch >> --->> --->> Microsoft MVP - Terminal Services >> --->> --->> >> --->> --->> >> --->> --->> "Eli" <eli@newsgroup.nospam> wrote in message >> --->> --->> >> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com... >> --->> --->> > Then what's the point of RemoteApp if one can >> just login to --->> terminal >> --->> --->> > server >> --->> --->> > itself and use applications on it? >> --->> --->> > >> --->> --->> > >> --->> --->> > "Jeff Pitsch" wrote: >> --->> --->> > >> --->> --->> >> I don't think you can. Your best bet is to >> completely lock down >> --->> the >> --->> --->> >> desktop >> --->> --->> >> so that only the start menu and logoff button >> are available. >> If >> --->> the >> --->> --->> >> users >> --->> --->> >> can't do anything then they won't be tempted to >> go to the desktop. >> --->> This >> --->> --->> >> is >> --->> --->> >> very easy to do by the way with Group Policy. >> --->> --->> >> >> --->> --->> >> Jeff Pitsch >> --->> --->> >> Microsoft MVP - Terminal Services >> --->> --->> >> >> --->> --->> >> >> --->> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message >> --->> --->> >> >> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com... >> --->> --->> >> > Windows 2008 SP1 --->> --->> >> > How can I >> prohibit users to login on the server thru a regular >> --->> RDP >> --->> --->> >> > session >> --->> --->> >> > while allowing them to use RemoteApp and >> WebAccess? --->> --->> >> >
Guest jolteroli Posted August 18, 2008 Posted August 18, 2008 Re: Restricting users to login on the server. like a jail without grating. you could set ntfs-acl's so explorer.exe and cmd.exe execution is denied for regular users. this is simple to setup and hard to circumvent. -jolt "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> schrieb im Newsbeitrag news:Xns9AFED92973BEEveranoesthemutforsse@207.46.248.16... > Eli, you still have to lock down the server! > It's a misunderstanding that configuring a starting application > would keep the users out of the full desktop of the TS! > > It is very easy to get to the full desktop from within nearly every > application, including Calculator. It's just a matter of time > before your users will stumble it, even if they are not actively > looking for it. > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> wrote on 18 aug 2008 in > microsoft.public.windows.terminal_services: > >> Thanks for the advice. >> I created new GPO for the OU where all TS people reside >> Used "start a program on connection" policy, and included there >> “%SystemRoot%\system32\calc.exe" >> Now whoever is in that OU, when they login into TS thru RDP, >> they'll see only Calculator, which blocks access for them to >> everything else. And they can still use RemoteApps. >> >> >> "Morgan che(MSFT)" wrote: >> >>> Hi, >>> >>> I am wirting to see how evertything is going? >>> >>> Have this issue been sovled or you need further assistance? >>> please feel free to let me know. >>> >>> Sincerely >>> Morgan Che >>> Microsoft Online Support >>> Microsoft Global Technical Support Center >>> >>> >>> -------------------- >>> --->i don't want them to use anything else on the server or the >>> server itself. >>> --->like any other software that is installed, but not >>> published to --->remoteapp/webaccess. >>> --->or browsing internet, etc. >>> --->or saving >>> ---> >>> --->"Morgan che(MSFT)" wrote: >>> ---> >>> --->> Hi, >>> --->> >>> --->> Thanks for using this newsgroup. >>> --->> >>> --->> As Jeff' said, we can't prohibit users to login to the >>> server via a RDP >>> --->> session while allowing them to login via RemoteApp and >>> WebAccess. --->> >>> --->> You can understand these three methods are just different >>> interfaces to >>> --->> access resources on Terminal server. Indeed, the three >>> methods use the same >>> --->> authorization mechanism, the way of establishing >>> connection between client >>> --->> and Terminal server and require the same permissions to >>> logon to Terminal >>> --->> server. Moreover, Windows doesn't provide a function that >>> can restrict RDP >>> --->> access while allowing RemoteApp and WebAccess access. >>> --->> >>> --->> Could you please inform me why you want to prohibit users >>> to login to the >>> --->> server via a RDP session while allowing them to login via >>> RemoteApp and >>> --->> WebAccess? I will check if there is any feasible method >>> to satisfy your >>> --->> needs. >>> --->> >>> --->> Thanks. >>> --->> >>> --->> >>> --->> Sincerely >>> --->> Morgan Che >>> --->> Microsoft Online Support >>> --->> Microsoft Global Technical Support Center >>> --->> >>> --->> -------------------- >>> --->> --->Thread-Topic: Restricting users to login on the >>> server. --->> --->thread-index: >>> microsoft.public.windows.terminal_services --->> ---> >>> --->> --->let's wait, maybe someone from microsoft will answer >>> it. --->> ---> >>> --->> --->"Jeff Pitsch" wrote: >>> --->> ---> >>> --->> --->> The same as it for citrix or any other TS vendor. >>> It's a very simple >>> --->> matter >>> --->> --->> to lock down the desktop and the advantages of >>> remote apps are pretty >>> --->> clear >>> --->> --->> especially if your planningo n using them. Now I >>> may be wrong and >>> --->> there may >>> --->> --->> be a way of disabling getting to the desktop but I >>> don't think there >>> --->> is. >>> --->> --->> >>> --->> --->> Jeff Pitsch >>> --->> --->> Microsoft MVP - Terminal Services >>> --->> --->> >>> --->> --->> >>> --->> --->> "Eli" <eli@newsgroup.nospam> wrote in message >>> --->> --->> >>> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com... >>> --->> --->> > Then what's the point of RemoteApp if one can >>> just login to --->> terminal >>> --->> --->> > server >>> --->> --->> > itself and use applications on it? >>> --->> --->> > >>> --->> --->> > >>> --->> --->> > "Jeff Pitsch" wrote: >>> --->> --->> > >>> --->> --->> >> I don't think you can. Your best bet is to >>> completely lock down >>> --->> the >>> --->> --->> >> desktop >>> --->> --->> >> so that only the start menu and logoff button >>> are available. >>> If >>> --->> the >>> --->> --->> >> users >>> --->> --->> >> can't do anything then they won't be tempted to >>> go to the desktop. >>> --->> This >>> --->> --->> >> is >>> --->> --->> >> very easy to do by the way with Group Policy. >>> --->> --->> >> >>> --->> --->> >> Jeff Pitsch >>> --->> --->> >> Microsoft MVP - Terminal Services >>> --->> --->> >> >>> --->> --->> >> >>> --->> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message >>> --->> --->> >> >>> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com... >>> --->> --->> >> > Windows 2008 SP1 --->> --->> >> > How can I >>> prohibit users to login on the server thru a regular >>> --->> RDP >>> --->> --->> >> > session >>> --->> --->> >> > while allowing them to use RemoteApp and >>> WebAccess? --->> --->> >> >
Guest Vera Noest [MVP] Posted August 18, 2008 Posted August 18, 2008 Re: Restricting users to login on the server. Yes, denying explorer.exe would disable the desktop. But you can still start *any* program from within Calculator. How is left as an exercise for the reader :-) _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ "jolteroli" <jolt1976@gmx.net> wrote on 18 aug 2008 in microsoft.public.windows.terminal_services: > like a jail without grating. you could set ntfs-acl's so > explorer.exe and cmd.exe execution is denied for regular users. > this is simple to setup and hard to circumvent. > > -jolt > > "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> > schrieb im Newsbeitrag > news:Xns9AFED92973BEEveranoesthemutforsse@207.46.248.16... >> Eli, you still have to lock down the server! >> It's a misunderstanding that configuring a starting application >> would keep the users out of the full desktop of the TS! >> >> It is very easy to get to the full desktop from within nearly >> every application, including Calculator. It's just a matter of >> time before your users will stumble it, even if they are not >> actively looking for it. >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___ >> >> =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> wrote on 18 aug 2008 in >> microsoft.public.windows.terminal_services: >> >>> Thanks for the advice. >>> I created new GPO for the OU where all TS people reside >>> Used "start a program on connection" policy, and included >>> there “%SystemRoot%\system32\calc.exe" >>> Now whoever is in that OU, when they login into TS thru RDP, >>> they'll see only Calculator, which blocks access for them to >>> everything else. And they can still use RemoteApps. >>> >>> >>> "Morgan che(MSFT)" wrote: >>> >>>> Hi, >>>> >>>> I am wirting to see how evertything is going? >>>> >>>> Have this issue been sovled or you need further assistance? >>>> please feel free to let me know. >>>> >>>> Sincerely >>>> Morgan Che >>>> Microsoft Online Support >>>> Microsoft Global Technical Support Center >>>> >>>> >>>> -------------------- >>>> --->i don't want them to use anything else on the server or >>>> the server itself. >>>> --->like any other software that is installed, but not >>>> published to --->remoteapp/webaccess. >>>> --->or browsing internet, etc. >>>> --->or saving >>>> ---> >>>> --->"Morgan che(MSFT)" wrote: >>>> ---> >>>> --->> Hi, >>>> --->> >>>> --->> Thanks for using this newsgroup. >>>> --->> >>>> --->> As Jeff' said, we can't prohibit users to login to the >>>> server via a RDP >>>> --->> session while allowing them to login via RemoteApp and >>>> WebAccess. --->> >>>> --->> You can understand these three methods are just >>>> different interfaces to >>>> --->> access resources on Terminal server. Indeed, the three >>>> methods use the same >>>> --->> authorization mechanism, the way of establishing >>>> connection between client >>>> --->> and Terminal server and require the same permissions to >>>> logon to Terminal >>>> --->> server. Moreover, Windows doesn't provide a function >>>> that can restrict RDP >>>> --->> access while allowing RemoteApp and WebAccess access. >>>> --->> >>>> --->> Could you please inform me why you want to prohibit >>>> users to login to the >>>> --->> server via a RDP session while allowing them to login >>>> via RemoteApp and >>>> --->> WebAccess? I will check if there is any feasible method >>>> to satisfy your >>>> --->> needs. >>>> --->> >>>> --->> Thanks. >>>> --->> >>>> --->> >>>> --->> Sincerely >>>> --->> Morgan Che >>>> --->> Microsoft Online Support >>>> --->> Microsoft Global Technical Support Center >>>> --->> >>>> --->> -------------------- >>>> --->> --->Thread-Topic: Restricting users to login on the >>>> server. --->> --->thread-index: >>>> microsoft.public.windows.terminal_services --->> ---> >>>> --->> --->let's wait, maybe someone from microsoft will >>>> answer it. --->> ---> >>>> --->> --->"Jeff Pitsch" wrote: >>>> --->> ---> >>>> --->> --->> The same as it for citrix or any other TS vendor. >>>> It's a very simple >>>> --->> matter >>>> --->> --->> to lock down the desktop and the advantages of >>>> remote apps are pretty >>>> --->> clear >>>> --->> --->> especially if your planningo n using them. Now I >>>> may be wrong and >>>> --->> there may >>>> --->> --->> be a way of disabling getting to the desktop but >>>> I don't think there >>>> --->> is. >>>> --->> --->> >>>> --->> --->> Jeff Pitsch >>>> --->> --->> Microsoft MVP - Terminal Services >>>> --->> --->> >>>> --->> --->> >>>> --->> --->> "Eli" <eli@newsgroup.nospam> wrote in message >>>> --->> --->> >>>> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com... >>>> --->> --->> > Then what's the point of RemoteApp if one can >>>> just login to --->> terminal >>>> --->> --->> > server >>>> --->> --->> > itself and use applications on it? >>>> --->> --->> > >>>> --->> --->> > >>>> --->> --->> > "Jeff Pitsch" wrote: >>>> --->> --->> > >>>> --->> --->> >> I don't think you can. Your best bet is to >>>> completely lock down >>>> --->> the >>>> --->> --->> >> desktop >>>> --->> --->> >> so that only the start menu and logoff button >>>> are available. >>>> If >>>> --->> the >>>> --->> --->> >> users >>>> --->> --->> >> can't do anything then they won't be tempted >>>> to go to the desktop. >>>> --->> This >>>> --->> --->> >> is >>>> --->> --->> >> very easy to do by the way with Group Policy. >>>> --->> --->> >> >>>> --->> --->> >> Jeff Pitsch >>>> --->> --->> >> Microsoft MVP - Terminal Services >>>> --->> --->> >> >>>> --->> --->> >> >>>> --->> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message >>>> --->> --->> >> >>>> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com... >>>> --->> --->> >> > Windows 2008 SP1 --->> --->> >> > How can I >>>> prohibit users to login on the server thru a regular >>>> --->> RDP >>>> --->> --->> >> > session >>>> --->> --->> >> > while allowing them to use RemoteApp and >>>> WebAccess? --->> --->> >> >
Guest Vera Noest [MVP] Posted August 18, 2008 Posted August 18, 2008 Re: Restricting users to login on the server. As a follow-up: you can use software restriction policies to lock down your server and really make sure that only approved applications are used. Using Software Restriction Policies to Protect Against Unauthorized Software http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstr plcy.mspx "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote on 18 aug 2008 in microsoft.public.windows.terminal_services: > Yes, denying explorer.exe would disable the desktop. But you can > still start *any* program from within Calculator. > How is left as an exercise for the reader :-) > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > "jolteroli" <jolt1976@gmx.net> wrote on 18 aug 2008 in > microsoft.public.windows.terminal_services: > >> like a jail without grating. you could set ntfs-acl's so >> explorer.exe and cmd.exe execution is denied for regular users. >> this is simple to setup and hard to circumvent. >> >> -jolt >> >> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> >> schrieb im Newsbeitrag >> news:Xns9AFED92973BEEveranoesthemutforsse@207.46.248.16... >>> Eli, you still have to lock down the server! >>> It's a misunderstanding that configuring a starting application >>> would keep the users out of the full desktop of the TS! >>> >>> It is very easy to get to the full desktop from within nearly >>> every application, including Calculator. It's just a matter of >>> time before your users will stumble it, even if they are not >>> actively looking for it. >>> _________________________________________________________ >>> Vera Noest >>> MCSE, CCEA, Microsoft MVP - Terminal Server >>> TS troubleshooting: http://ts.veranoest.net >>> ___ please respond in newsgroup, NOT by private email ___ >>> >>> =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> wrote on 18 aug 2008 in >>> microsoft.public.windows.terminal_services: >>> >>>> Thanks for the advice. >>>> I created new GPO for the OU where all TS people reside >>>> Used "start a program on connection" policy, and included >>>> there “%SystemRoot%\system32\calc.exe" >>>> Now whoever is in that OU, when they login into TS thru RDP, >>>> they'll see only Calculator, which blocks access for them to >>>> everything else. And they can still use RemoteApps. >>>> >>>> >>>> "Morgan che(MSFT)" wrote: >>>> >>>>> Hi, >>>>> >>>>> I am wirting to see how evertything is going? >>>>> >>>>> Have this issue been sovled or you need further assistance? >>>>> please feel free to let me know. >>>>> >>>>> Sincerely >>>>> Morgan Che >>>>> Microsoft Online Support >>>>> Microsoft Global Technical Support Center >>>>> >>>>> >>>>> -------------------- >>>>> --->i don't want them to use anything else on the server or >>>>> the server itself. >>>>> --->like any other software that is installed, but not >>>>> published to --->remoteapp/webaccess. >>>>> --->or browsing internet, etc. >>>>> --->or saving >>>>> ---> >>>>> --->"Morgan che(MSFT)" wrote: >>>>> ---> >>>>> --->> Hi, >>>>> --->> >>>>> --->> Thanks for using this newsgroup. >>>>> --->> >>>>> --->> As Jeff' said, we can't prohibit users to login to the >>>>> server via a RDP >>>>> --->> session while allowing them to login via RemoteApp and >>>>> WebAccess. --->> >>>>> --->> You can understand these three methods are just >>>>> different interfaces to >>>>> --->> access resources on Terminal server. Indeed, the three >>>>> methods use the same >>>>> --->> authorization mechanism, the way of establishing >>>>> connection between client >>>>> --->> and Terminal server and require the same permissions to >>>>> logon to Terminal >>>>> --->> server. Moreover, Windows doesn't provide a function >>>>> that can restrict RDP >>>>> --->> access while allowing RemoteApp and WebAccess access. >>>>> --->> >>>>> --->> Could you please inform me why you want to prohibit >>>>> users to login to the >>>>> --->> server via a RDP session while allowing them to login >>>>> via RemoteApp and >>>>> --->> WebAccess? I will check if there is any feasible method >>>>> to satisfy your >>>>> --->> needs. >>>>> --->> >>>>> --->> Thanks. >>>>> --->> >>>>> --->> >>>>> --->> Sincerely >>>>> --->> Morgan Che >>>>> --->> Microsoft Online Support >>>>> --->> Microsoft Global Technical Support Center >>>>> --->> >>>>> --->> -------------------- >>>>> --->> --->Thread-Topic: Restricting users to login on the >>>>> server. --->> --->thread-index: >>>>> microsoft.public.windows.terminal_services --->> ---> >>>>> --->> --->let's wait, maybe someone from microsoft will >>>>> answer it. --->> ---> >>>>> --->> --->"Jeff Pitsch" wrote: >>>>> --->> ---> >>>>> --->> --->> The same as it for citrix or any other TS vendor. >>>>> It's a very simple >>>>> --->> matter >>>>> --->> --->> to lock down the desktop and the advantages of >>>>> remote apps are pretty >>>>> --->> clear >>>>> --->> --->> especially if your planningo n using them. Now I >>>>> may be wrong and >>>>> --->> there may >>>>> --->> --->> be a way of disabling getting to the desktop but >>>>> I don't think there >>>>> --->> is. >>>>> --->> --->> >>>>> --->> --->> Jeff Pitsch >>>>> --->> --->> Microsoft MVP - Terminal Services >>>>> --->> --->> >>>>> --->> --->> >>>>> --->> --->> "Eli" <eli@newsgroup.nospam> wrote in message >>>>> --->> --->> >>>>> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com... >>>>> --->> --->> > Then what's the point of RemoteApp if one can >>>>> just login to --->> terminal >>>>> --->> --->> > server >>>>> --->> --->> > itself and use applications on it? >>>>> --->> --->> > >>>>> --->> --->> > >>>>> --->> --->> > "Jeff Pitsch" wrote: >>>>> --->> --->> > >>>>> --->> --->> >> I don't think you can. Your best bet is to >>>>> completely lock down >>>>> --->> the >>>>> --->> --->> >> desktop >>>>> --->> --->> >> so that only the start menu and logoff button >>>>> are available. >>>>> If >>>>> --->> the >>>>> --->> --->> >> users >>>>> --->> --->> >> can't do anything then they won't be tempted >>>>> to go to the desktop. >>>>> --->> This >>>>> --->> --->> >> is >>>>> --->> --->> >> very easy to do by the way with Group Policy. >>>>> --->> --->> >> >>>>> --->> --->> >> Jeff Pitsch >>>>> --->> --->> >> Microsoft MVP - Terminal Services >>>>> --->> --->> >> >>>>> --->> --->> >> >>>>> --->> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message >>>>> --->> --->> >> >>>>> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com... >>>>> --->> --->> >> > Windows 2008 SP1 --->> --->> >> > How can I >>>>> prohibit users to login on the server thru a regular >>>>> --->> RDP >>>>> --->> --->> >> > session >>>>> --->> --->> >> > while allowing them to use RemoteApp and >>>>> WebAccess? --->> --->> >> >
Guest jolteroli Posted August 19, 2008 Posted August 19, 2008 Re: Restricting users to login on the server. it's: http://technet.microsoft.com/en-us/library/bb457006.aspx, dear Vera.
Guest Vera Noest [MVP] Posted August 19, 2008 Posted August 19, 2008 Re: Restricting users to login on the server. Ooops! I hate it when Microsoft (or anny other company for that matter) keep changing their links. Thanks, jolteroli, I'll update the link on my website! _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net *----------- Please reply in newsgroup -------------* "jolteroli" <jolt1976@gmx.net> wrote on 19 aug 2008: > it's: http://technet.microsoft.com/en-us/library/bb457006.aspx, > dear Vera.
Recommended Posts