Jump to content

Restricting users to login on the server.

Guest Eli

By Guest Eli
in Windows NT Server

 Share

Recommended Posts

Guest Eli

Guest Eli

Posted
Posted

Windows 2008 SP1

How can I prohibit users to login on the server thru a regular RDP session

while allowing them to use RemoteApp and WebAccess?

  • Replies 16
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Jeff Pitsch

Guest Jeff Pitsch

Posted
Posted

Re: Restricting users to login on the server.

 

I don't think you can. Your best bet is to completely lock down the desktop

so that only the start menu and logoff button are available. If the users

can't do anything then they won't be tempted to go to the desktop. This is

very easy to do by the way with Group Policy.

 

Jeff Pitsch

Microsoft MVP - Terminal Services

 

 

"Eli" <eli@newsgroup.nospam> wrote in message

news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com...

> Windows 2008 SP1

> How can I prohibit users to login on the server thru a regular RDP session

> while allowing them to use RemoteApp and WebAccess?

>

Guest Eli

Guest Eli

Posted
Posted

Re: Restricting users to login on the server.

 

Then what's the point of RemoteApp if one can just login to terminal server

itself and use applications on it?

 

 

"Jeff Pitsch" wrote:

> I don't think you can. Your best bet is to completely lock down the desktop

> so that only the start menu and logoff button are available. If the users

> can't do anything then they won't be tempted to go to the desktop. This is

> very easy to do by the way with Group Policy.

>

> Jeff Pitsch

> Microsoft MVP - Terminal Services

>

>

> "Eli" <eli@newsgroup.nospam> wrote in message

> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com...

> > Windows 2008 SP1

> > How can I prohibit users to login on the server thru a regular RDP session

> > while allowing them to use RemoteApp and WebAccess?

> >

>

>

>

Guest Jeff Pitsch

Guest Jeff Pitsch

Posted
Posted

Re: Restricting users to login on the server.

 

The same as it for citrix or any other TS vendor. It's a very simple matter

to lock down the desktop and the advantages of remote apps are pretty clear

especially if your planningo n using them. Now I may be wrong and there may

be a way of disabling getting to the desktop but I don't think there is.

 

Jeff Pitsch

Microsoft MVP - Terminal Services

 

 

"Eli" <eli@newsgroup.nospam> wrote in message

news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com...

> Then what's the point of RemoteApp if one can just login to terminal

> server

> itself and use applications on it?

>

>

> "Jeff Pitsch" wrote:

>

>> I don't think you can. Your best bet is to completely lock down the

>> desktop

>> so that only the start menu and logoff button are available. If the

>> users

>> can't do anything then they won't be tempted to go to the desktop. This

>> is

>> very easy to do by the way with Group Policy.

>>

>> Jeff Pitsch

>> Microsoft MVP - Terminal Services

>>

>>

>> "Eli" <eli@newsgroup.nospam> wrote in message

>> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com...

>> > Windows 2008 SP1

>> > How can I prohibit users to login on the server thru a regular RDP

>> > session

>> > while allowing them to use RemoteApp and WebAccess?

>> >

>>

>>

>>

Guest Eli

Guest Eli

Posted
Posted

Re: Restricting users to login on the server.

 

let's wait, maybe someone from microsoft will answer it.

 

"Jeff Pitsch" wrote:

> The same as it for citrix or any other TS vendor. It's a very simple matter

> to lock down the desktop and the advantages of remote apps are pretty clear

> especially if your planningo n using them. Now I may be wrong and there may

> be a way of disabling getting to the desktop but I don't think there is.

>

> Jeff Pitsch

> Microsoft MVP - Terminal Services

>

>

> "Eli" <eli@newsgroup.nospam> wrote in message

> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com...

> > Then what's the point of RemoteApp if one can just login to terminal

> > server

> > itself and use applications on it?

> >

> >

> > "Jeff Pitsch" wrote:

> >

> >> I don't think you can. Your best bet is to completely lock down the

> >> desktop

> >> so that only the start menu and logoff button are available. If the

> >> users

> >> can't do anything then they won't be tempted to go to the desktop. This

> >> is

> >> very easy to do by the way with Group Policy.

> >>

> >> Jeff Pitsch

> >> Microsoft MVP - Terminal Services

> >>

> >>

> >> "Eli" <eli@newsgroup.nospam> wrote in message

> >> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com...

> >> > Windows 2008 SP1

> >> > How can I prohibit users to login on the server thru a regular RDP

> >> > session

> >> > while allowing them to use RemoteApp and WebAccess?

> >> >

> >>

> >>

> >>

>

>

>

Guest Morgan che

Guest Morgan che

Posted
Posted

Re: Restricting users to login on the server.

 

Hi,

 

Thanks for using this newsgroup.

 

As Jeff' said, we can't prohibit users to login to the server via a RDP

session while allowing them to login via RemoteApp and WebAccess.

 

You can understand these three methods are just different interfaces to

access resources on Terminal server. Indeed, the three methods use the same

authorization mechanism, the way of establishing connection between client

and Terminal server and require the same permissions to logon to Terminal

server. Moreover, Windows doesn't provide a function that can restrict RDP

access while allowing RemoteApp and WebAccess access.

 

Could you please inform me why you want to prohibit users to login to the

server via a RDP session while allowing them to login via RemoteApp and

WebAccess? I will check if there is any feasible method to satisfy your

needs.

 

Thanks.

 

 

Sincerely

Morgan Che

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

 

--------------------

--->Thread-Topic: Restricting users to login on the server.

--->thread-index: Acj2alGkDlhWZ+GbRDuFTZhDMExcaQ==

--->X-WBNR-Posting-Host: 207.46.19.168

--->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam>

--->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com>

<eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl>

<043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com>

<O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl>

--->Subject: Re: Restricting users to login on the server.

--->Date: Mon, 4 Aug 2008 12:43:07 -0700

--->Lines: 47

--->Message-ID: <FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com>

--->MIME-Version: 1.0

--->Content-Type: text/plain;

---> charset="Utf-8"

--->Content-Transfer-Encoding: 7bit

--->X-Newsreader: Microsoft CDO for Windows 2000

--->Content-Class: urn:content-classes:message

--->Importance: normal

--->Priority: normal

--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119

--->Newsgroups: microsoft.public.windows.terminal_services

--->Path: TK2MSFTNGHUB02.phx.gbl

--->Xref: TK2MSFTNGHUB02.phx.gbl

microsoft.public.windows.terminal_services:19658

--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->

--->let's wait, maybe someone from microsoft will answer it.

--->

--->"Jeff Pitsch" wrote:

--->

--->> The same as it for citrix or any other TS vendor. It's a very simple

matter

--->> to lock down the desktop and the advantages of remote apps are pretty

clear

--->> especially if your planningo n using them. Now I may be wrong and

there may

--->> be a way of disabling getting to the desktop but I don't think there

is.

--->>

--->> Jeff Pitsch

--->> Microsoft MVP - Terminal Services

--->>

--->>

--->> "Eli" <eli@newsgroup.nospam> wrote in message

--->> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com...

--->> > Then what's the point of RemoteApp if one can just login to

terminal

--->> > server

--->> > itself and use applications on it?

--->> >

--->> >

--->> > "Jeff Pitsch" wrote:

--->> >

--->> >> I don't think you can. Your best bet is to completely lock down

the

--->> >> desktop

--->> >> so that only the start menu and logoff button are available. If

the

--->> >> users

--->> >> can't do anything then they won't be tempted to go to the desktop.

This

--->> >> is

--->> >> very easy to do by the way with Group Policy.

--->> >>

--->> >> Jeff Pitsch

--->> >> Microsoft MVP - Terminal Services

--->> >>

--->> >>

--->> >> "Eli" <eli@newsgroup.nospam> wrote in message

--->> >> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com...

--->> >> > Windows 2008 SP1

--->> >> > How can I prohibit users to login on the server thru a regular

RDP

--->> >> > session

--->> >> > while allowing them to use RemoteApp and WebAccess?

--->> >> >

--->> >>

--->> >>

--->> >>

--->>

--->>

--->>

--->

Guest Eli

Guest Eli

Posted
Posted

Re: Restricting users to login on the server.

 

i don't want them to use anything else on the server or the server itself.

like any other software that is installed, but not published to

remoteapp/webaccess.

or browsing internet, etc.

or saving

 

"Morgan che(MSFT)" wrote:

> Hi,

>

> Thanks for using this newsgroup.

>

> As Jeff' said, we can't prohibit users to login to the server via a RDP

> session while allowing them to login via RemoteApp and WebAccess.

>

> You can understand these three methods are just different interfaces to

> access resources on Terminal server. Indeed, the three methods use the same

> authorization mechanism, the way of establishing connection between client

> and Terminal server and require the same permissions to logon to Terminal

> server. Moreover, Windows doesn't provide a function that can restrict RDP

> access while allowing RemoteApp and WebAccess access.

>

> Could you please inform me why you want to prohibit users to login to the

> server via a RDP session while allowing them to login via RemoteApp and

> WebAccess? I will check if there is any feasible method to satisfy your

> needs.

>

> Thanks.

>

>

> Sincerely

> Morgan Che

> Microsoft Online Support

> Microsoft Global Technical Support Center

>

> Get Secure! - http://www.microsoft.com/security

> =====================================================

> When responding to posts, please "Reply to Group" via your newsreader so

> that others may learn and benefit from your issue.

> =====================================================

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

>

> --------------------

> --->Thread-Topic: Restricting users to login on the server.

> --->thread-index: Acj2alGkDlhWZ+GbRDuFTZhDMExcaQ==

> --->X-WBNR-Posting-Host: 207.46.19.168

> --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam>

> --->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com>

> <eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl>

> <043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com>

> <O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl>

> --->Subject: Re: Restricting users to login on the server.

> --->Date: Mon, 4 Aug 2008 12:43:07 -0700

> --->Lines: 47

> --->Message-ID: <FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com>

> --->MIME-Version: 1.0

> --->Content-Type: text/plain;

> ---> charset="Utf-8"

> --->Content-Transfer-Encoding: 7bit

> --->X-Newsreader: Microsoft CDO for Windows 2000

> --->Content-Class: urn:content-classes:message

> --->Importance: normal

> --->Priority: normal

> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119

> --->Newsgroups: microsoft.public.windows.terminal_services

> --->Path: TK2MSFTNGHUB02.phx.gbl

> --->Xref: TK2MSFTNGHUB02.phx.gbl

> microsoft.public.windows.terminal_services:19658

> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

> --->

> --->let's wait, maybe someone from microsoft will answer it.

> --->

> --->"Jeff Pitsch" wrote:

> --->

> --->> The same as it for citrix or any other TS vendor. It's a very simple

> matter

> --->> to lock down the desktop and the advantages of remote apps are pretty

> clear

> --->> especially if your planningo n using them. Now I may be wrong and

> there may

> --->> be a way of disabling getting to the desktop but I don't think there

> is.

> --->>

> --->> Jeff Pitsch

> --->> Microsoft MVP - Terminal Services

> --->>

> --->>

> --->> "Eli" <eli@newsgroup.nospam> wrote in message

> --->> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com...

> --->> > Then what's the point of RemoteApp if one can just login to

> terminal

> --->> > server

> --->> > itself and use applications on it?

> --->> >

> --->> >

> --->> > "Jeff Pitsch" wrote:

> --->> >

> --->> >> I don't think you can. Your best bet is to completely lock down

> the

> --->> >> desktop

> --->> >> so that only the start menu and logoff button are available. If

> the

> --->> >> users

> --->> >> can't do anything then they won't be tempted to go to the desktop.

> This

> --->> >> is

> --->> >> very easy to do by the way with Group Policy.

> --->> >>

> --->> >> Jeff Pitsch

> --->> >> Microsoft MVP - Terminal Services

> --->> >>

> --->> >>

> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message

> --->> >> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com...

> --->> >> > Windows 2008 SP1

> --->> >> > How can I prohibit users to login on the server thru a regular

> RDP

> --->> >> > session

> --->> >> > while allowing them to use RemoteApp and WebAccess?

> --->> >> >

> --->> >>

> --->> >>

> --->> >>

> --->>

> --->>

> --->>

> --->

>

>

Guest Jeff Pitsch

Guest Jeff Pitsch

Posted
Posted

Re: Restricting users to login on the server.

 

As I said, very very easily done using Group Policy. They won't be able to

do anything if they decide to hit a desktop because all they will have is a

logoff button.

 

I agree it would be nice to deny desktops but we have to live with the cards

we're dealt.

 

Jeff Pitsch

Microsoft MVP - Terminal Services

 

"Eli" <eli@newsgroup.nospam> wrote in message

news:C0BA6866-B740-4E2A-88DC-8EB6DDAEF8AD@microsoft.com...

>i don't want them to use anything else on the server or the server itself.

> like any other software that is installed, but not published to

> remoteapp/webaccess.

> or browsing internet, etc.

> or saving

>

> "Morgan che(MSFT)" wrote:

>

>> Hi,

>>

>> Thanks for using this newsgroup.

>>

>> As Jeff' said, we can't prohibit users to login to the server via a RDP

>> session while allowing them to login via RemoteApp and WebAccess.

>>

>> You can understand these three methods are just different interfaces to

>> access resources on Terminal server. Indeed, the three methods use the

>> same

>> authorization mechanism, the way of establishing connection between

>> client

>> and Terminal server and require the same permissions to logon to Terminal

>> server. Moreover, Windows doesn't provide a function that can restrict

>> RDP

>> access while allowing RemoteApp and WebAccess access.

>>

>> Could you please inform me why you want to prohibit users to login to the

>> server via a RDP session while allowing them to login via RemoteApp and

>> WebAccess? I will check if there is any feasible method to satisfy your

>> needs.

>>

>> Thanks.

>>

>>

>> Sincerely

>> Morgan Che

>> Microsoft Online Support

>> Microsoft Global Technical Support Center

>>

>> Get Secure! - http://www.microsoft.com/security

>> =====================================================

>> When responding to posts, please "Reply to Group" via your newsreader so

>> that others may learn and benefit from your issue.

>> =====================================================

>> This posting is provided "AS IS" with no warranties, and confers no

>> rights.

>>

>>

>> --------------------

>> --->Thread-Topic: Restricting users to login on the server.

>> --->thread-index: Acj2alGkDlhWZ+GbRDuFTZhDMExcaQ==

>> --->X-WBNR-Posting-Host: 207.46.19.168

>> --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam>

>> --->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com>

>> <eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl>

>> <043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com>

>> <O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl>

>> --->Subject: Re: Restricting users to login on the server.

>> --->Date: Mon, 4 Aug 2008 12:43:07 -0700

>> --->Lines: 47

>> --->Message-ID: <FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com>

>> --->MIME-Version: 1.0

>> --->Content-Type: text/plain;

>> ---> charset="Utf-8"

>> --->Content-Transfer-Encoding: 7bit

>> --->X-Newsreader: Microsoft CDO for Windows 2000

>> --->Content-Class: urn:content-classes:message

>> --->Importance: normal

>> --->Priority: normal

>> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119

>> --->Newsgroups: microsoft.public.windows.terminal_services

>> --->Path: TK2MSFTNGHUB02.phx.gbl

>> --->Xref: TK2MSFTNGHUB02.phx.gbl

>> microsoft.public.windows.terminal_services:19658

>> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

>> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

>> --->

>> --->let's wait, maybe someone from microsoft will answer it.

>> --->

>> --->"Jeff Pitsch" wrote:

>> --->

>> --->> The same as it for citrix or any other TS vendor. It's a very

>> simple

>> matter

>> --->> to lock down the desktop and the advantages of remote apps are

>> pretty

>> clear

>> --->> especially if your planningo n using them. Now I may be wrong and

>> there may

>> --->> be a way of disabling getting to the desktop but I don't think

>> there

>> is.

>> --->>

>> --->> Jeff Pitsch

>> --->> Microsoft MVP - Terminal Services

>> --->>

>> --->>

>> --->> "Eli" <eli@newsgroup.nospam> wrote in message

>> --->> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com...

>> --->> > Then what's the point of RemoteApp if one can just login to

>> terminal

>> --->> > server

>> --->> > itself and use applications on it?

>> --->> >

>> --->> >

>> --->> > "Jeff Pitsch" wrote:

>> --->> >

>> --->> >> I don't think you can. Your best bet is to completely lock down

>> the

>> --->> >> desktop

>> --->> >> so that only the start menu and logoff button are available. If

>> the

>> --->> >> users

>> --->> >> can't do anything then they won't be tempted to go to the

>> desktop.

>> This

>> --->> >> is

>> --->> >> very easy to do by the way with Group Policy.

>> --->> >>

>> --->> >> Jeff Pitsch

>> --->> >> Microsoft MVP - Terminal Services

>> --->> >>

>> --->> >>

>> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message

>> --->> >> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com...

>> --->> >> > Windows 2008 SP1

>> --->> >> > How can I prohibit users to login on the server thru a regular

>> RDP

>> --->> >> > session

>> --->> >> > while allowing them to use RemoteApp and WebAccess?

>> --->> >> >

>> --->> >>

>> --->> >>

>> --->> >>

>> --->>

>> --->>

>> --->>

>> --->

>>

>>

Guest Morgan che

Guest Morgan che

Posted
Posted

Re: Restricting users to login on the server.

 

Hi,

 

Thanks for posting back.

 

If so, you can use "start a program on connection" policy to configures

Terminal Services to run a specified program automatically upon connection,

which locates under User configuration \Administrative Templates\ Windows

components\ Terminal server\ Start a program on connection.

 

By default, Terminal Services sessions provide access to the full Windows

desktop, unless otherwise specified with this setting, by the server

administrator, or by the user in configuring the client connection.

 

If the status is set to Enabled, Terminal Services sessions automatically

run the specified program and use the specified Working Directory (or the

program default directory, if Working Directory is not specified) as the

working directory for the program.

 

If the status is set to Disabled or Not Configured, Terminal Services

sessions start with the full desktop, unless the server administrator or

user specify otherwise. (See "Computer Configuration\Administrative

Templates\System\Logon\Run these programs at user logon" setting.)

 

Note: This setting appears in both Computer Configuration and User

Configuration. If both settings are configured, the Computer Configuration

setting overrides.

 

Please check it to see if it meets your demands. Thanks.

 

 

Sincerely

Morgan Che

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

 

--------------------

--->Thread-Topic: Restricting users to login on the server.

--->thread-index: Acj3AMLcaENo1VURQDOUteSukpdmJw==

--->X-WBNR-Posting-Host: 207.46.19.197

--->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam>

--->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com>

<eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl>

<043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com>

<O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl>

<FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com>

<jVBu1Pt9IHA.3476@TK2MSFTNGHUB02.phx.gbl>

--->Subject: Re: Restricting users to login on the server.

--->Date: Tue, 5 Aug 2008 06:40:02 -0700

--->Lines: 131

--->Message-ID: <C0BA6866-B740-4E2A-88DC-8EB6DDAEF8AD@microsoft.com>

--->MIME-Version: 1.0

--->Content-Type: text/plain;

---> charset="Utf-8"

--->Content-Transfer-Encoding: 7bit

--->X-Newsreader: Microsoft CDO for Windows 2000

--->Content-Class: urn:content-classes:message

--->Importance: normal

--->Priority: normal

--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119

--->Newsgroups: microsoft.public.windows.terminal_services

--->Path: TK2MSFTNGHUB02.phx.gbl

--->Xref: TK2MSFTNGHUB02.phx.gbl

microsoft.public.windows.terminal_services:19680

--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->

--->i don't want them to use anything else on the server or the server

itself.

--->like any other software that is installed, but not published to

--->remoteapp/webaccess.

--->or browsing internet, etc.

--->or saving

--->

--->"Morgan che(MSFT)" wrote:

--->

--->> Hi,

--->>

--->> Thanks for using this newsgroup.

--->>

--->> As Jeff' said, we can't prohibit users to login to the server via a

RDP

--->> session while allowing them to login via RemoteApp and WebAccess.

--->>

--->> You can understand these three methods are just different interfaces

to

--->> access resources on Terminal server. Indeed, the three methods use

the same

--->> authorization mechanism, the way of establishing connection between

client

--->> and Terminal server and require the same permissions to logon to

Terminal

--->> server. Moreover, Windows doesn't provide a function that can

restrict RDP

--->> access while allowing RemoteApp and WebAccess access.

--->>

--->> Could you please inform me why you want to prohibit users to login to

the

--->> server via a RDP session while allowing them to login via RemoteApp

and

--->> WebAccess? I will check if there is any feasible method to satisfy

your

--->> needs.

--->>

--->> Thanks.

--->>

--->>

--->> Sincerely

--->> Morgan Che

--->> Microsoft Online Support

--->> Microsoft Global Technical Support Center

--->>

--->> Get Secure! - http://www.microsoft.com/security

--->> =====================================================

--->> When responding to posts, please "Reply to Group" via your newsreader

so

--->> that others may learn and benefit from your issue.

--->> =====================================================

--->> This posting is provided "AS IS" with no warranties, and confers no

rights.

--->>

--->>

--->> --------------------

--->> --->Thread-Topic: Restricting users to login on the server.

--->> --->thread-index: Acj2alGkDlhWZ+GbRDuFTZhDMExcaQ==

--->> --->X-WBNR-Posting-Host: 207.46.19.168

--->> --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam>

--->> --->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com>

--->> <eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl>

--->> <043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com>

--->> <O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl>

--->> --->Subject: Re: Restricting users to login on the server.

--->> --->Date: Mon, 4 Aug 2008 12:43:07 -0700

--->> --->Lines: 47

--->> --->Message-ID: <FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com>

--->> --->MIME-Version: 1.0

--->> --->Content-Type: text/plain;

--->> ---> charset="Utf-8"

--->> --->Content-Transfer-Encoding: 7bit

--->> --->X-Newsreader: Microsoft CDO for Windows 2000

--->> --->Content-Class: urn:content-classes:message

--->> --->Importance: normal

--->> --->Priority: normal

--->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119

--->> --->Newsgroups: microsoft.public.windows.terminal_services

--->> --->Path: TK2MSFTNGHUB02.phx.gbl

--->> --->Xref: TK2MSFTNGHUB02.phx.gbl

--->> microsoft.public.windows.terminal_services:19658

--->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->> --->

--->> --->let's wait, maybe someone from microsoft will answer it.

--->> --->

--->> --->"Jeff Pitsch" wrote:

--->> --->

--->> --->> The same as it for citrix or any other TS vendor. It's a very

simple

--->> matter

--->> --->> to lock down the desktop and the advantages of remote apps are

pretty

--->> clear

--->> --->> especially if your planningo n using them. Now I may be wrong

and

--->> there may

--->> --->> be a way of disabling getting to the desktop but I don't think

there

--->> is.

--->> --->>

--->> --->> Jeff Pitsch

--->> --->> Microsoft MVP - Terminal Services

--->> --->>

--->> --->>

--->> --->> "Eli" <eli@newsgroup.nospam> wrote in message

--->> --->> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com...

--->> --->> > Then what's the point of RemoteApp if one can just login to

--->> terminal

--->> --->> > server

--->> --->> > itself and use applications on it?

--->> --->> >

--->> --->> >

--->> --->> > "Jeff Pitsch" wrote:

--->> --->> >

--->> --->> >> I don't think you can. Your best bet is to completely lock

down

--->> the

--->> --->> >> desktop

--->> --->> >> so that only the start menu and logoff button are available.

If

--->> the

--->> --->> >> users

--->> --->> >> can't do anything then they won't be tempted to go to the

desktop.

--->> This

--->> --->> >> is

--->> --->> >> very easy to do by the way with Group Policy.

--->> --->> >>

--->> --->> >> Jeff Pitsch

--->> --->> >> Microsoft MVP - Terminal Services

--->> --->> >>

--->> --->> >>

--->> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message

--->> --->> >> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com...

--->> --->> >> > Windows 2008 SP1

--->> --->> >> > How can I prohibit users to login on the server thru a

regular

--->> RDP

--->> --->> >> > session

--->> --->> >> > while allowing them to use RemoteApp and WebAccess?

--->> --->> >> >

--->> --->> >>

--->> --->> >>

--->> --->> >>

--->> --->>

--->> --->>

--->> --->>

--->> --->

--->>

--->>

--->

Guest Morgan che

Guest Morgan che

Posted
Posted

Re: Restricting users to login on the server.

 

Hi,

 

I am wirting to see how evertything is going?

 

Have this issue been sovled or you need further assistance? please feel

free to let me know.

 

Sincerely

Morgan Che

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

 

--------------------

--->Thread-Topic: Restricting users to login on the server.

--->thread-index: Acj3AMLcaENo1VURQDOUteSukpdmJw==

--->X-WBNR-Posting-Host: 207.46.19.197

--->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam>

--->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com>

<eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl>

<043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com>

<O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl>

<FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com>

<jVBu1Pt9IHA.3476@TK2MSFTNGHUB02.phx.gbl>

--->Subject: Re: Restricting users to login on the server.

--->Date: Tue, 5 Aug 2008 06:40:02 -0700

--->Lines: 131

--->Message-ID: <C0BA6866-B740-4E2A-88DC-8EB6DDAEF8AD@microsoft.com>

--->MIME-Version: 1.0

--->Content-Type: text/plain;

---> charset="Utf-8"

--->Content-Transfer-Encoding: 7bit

--->X-Newsreader: Microsoft CDO for Windows 2000

--->Content-Class: urn:content-classes:message

--->Importance: normal

--->Priority: normal

--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119

--->Newsgroups: microsoft.public.windows.terminal_services

--->Path: TK2MSFTNGHUB02.phx.gbl

--->Xref: TK2MSFTNGHUB02.phx.gbl

microsoft.public.windows.terminal_services:19680

--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->

--->i don't want them to use anything else on the server or the server

itself.

--->like any other software that is installed, but not published to

--->remoteapp/webaccess.

--->or browsing internet, etc.

--->or saving

--->

--->"Morgan che(MSFT)" wrote:

--->

--->> Hi,

--->>

--->> Thanks for using this newsgroup.

--->>

--->> As Jeff' said, we can't prohibit users to login to the server via a

RDP

--->> session while allowing them to login via RemoteApp and WebAccess.

--->>

--->> You can understand these three methods are just different interfaces

to

--->> access resources on Terminal server. Indeed, the three methods use

the same

--->> authorization mechanism, the way of establishing connection between

client

--->> and Terminal server and require the same permissions to logon to

Terminal

--->> server. Moreover, Windows doesn't provide a function that can

restrict RDP

--->> access while allowing RemoteApp and WebAccess access.

--->>

--->> Could you please inform me why you want to prohibit users to login to

the

--->> server via a RDP session while allowing them to login via RemoteApp

and

--->> WebAccess? I will check if there is any feasible method to satisfy

your

--->> needs.

--->>

--->> Thanks.

--->>

--->>

--->> Sincerely

--->> Morgan Che

--->> Microsoft Online Support

--->> Microsoft Global Technical Support Center

--->>

--->> Get Secure! - http://www.microsoft.com/security

--->> =====================================================

--->> When responding to posts, please "Reply to Group" via your newsreader

so

--->> that others may learn and benefit from your issue.

--->> =====================================================

--->> This posting is provided "AS IS" with no warranties, and confers no

rights.

--->>

--->>

--->> --------------------

--->> --->Thread-Topic: Restricting users to login on the server.

--->> --->thread-index: Acj2alGkDlhWZ+GbRDuFTZhDMExcaQ==

--->> --->X-WBNR-Posting-Host: 207.46.19.168

--->> --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam>

--->> --->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com>

--->> <eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl>

--->> <043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com>

--->> <O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl>

--->> --->Subject: Re: Restricting users to login on the server.

--->> --->Date: Mon, 4 Aug 2008 12:43:07 -0700

--->> --->Lines: 47

--->> --->Message-ID: <FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com>

--->> --->MIME-Version: 1.0

--->> --->Content-Type: text/plain;

--->> ---> charset="Utf-8"

--->> --->Content-Transfer-Encoding: 7bit

--->> --->X-Newsreader: Microsoft CDO for Windows 2000

--->> --->Content-Class: urn:content-classes:message

--->> --->Importance: normal

--->> --->Priority: normal

--->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119

--->> --->Newsgroups: microsoft.public.windows.terminal_services

--->> --->Path: TK2MSFTNGHUB02.phx.gbl

--->> --->Xref: TK2MSFTNGHUB02.phx.gbl

--->> microsoft.public.windows.terminal_services:19658

--->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

--->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

--->> --->

--->> --->let's wait, maybe someone from microsoft will answer it.

--->> --->

--->> --->"Jeff Pitsch" wrote:

--->> --->

--->> --->> The same as it for citrix or any other TS vendor. It's a very

simple

--->> matter

--->> --->> to lock down the desktop and the advantages of remote apps are

pretty

--->> clear

--->> --->> especially if your planningo n using them. Now I may be wrong

and

--->> there may

--->> --->> be a way of disabling getting to the desktop but I don't think

there

--->> is.

--->> --->>

--->> --->> Jeff Pitsch

--->> --->> Microsoft MVP - Terminal Services

--->> --->>

--->> --->>

--->> --->> "Eli" <eli@newsgroup.nospam> wrote in message

--->> --->> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com...

--->> --->> > Then what's the point of RemoteApp if one can just login to

--->> terminal

--->> --->> > server

--->> --->> > itself and use applications on it?

--->> --->> >

--->> --->> >

--->> --->> > "Jeff Pitsch" wrote:

--->> --->> >

--->> --->> >> I don't think you can. Your best bet is to completely lock

down

--->> the

--->> --->> >> desktop

--->> --->> >> so that only the start menu and logoff button are available.

If

--->> the

--->> --->> >> users

--->> --->> >> can't do anything then they won't be tempted to go to the

desktop.

--->> This

--->> --->> >> is

--->> --->> >> very easy to do by the way with Group Policy.

--->> --->> >>

--->> --->> >> Jeff Pitsch

--->> --->> >> Microsoft MVP - Terminal Services

--->> --->> >>

--->> --->> >>

--->> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message

--->> --->> >> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com...

--->> --->> >> > Windows 2008 SP1

--->> --->> >> > How can I prohibit users to login on the server thru a

regular

--->> RDP

--->> --->> >> > session

--->> --->> >> > while allowing them to use RemoteApp and WebAccess?

--->> --->> >> >

--->> --->> >>

--->> --->> >>

--->> --->> >>

--->> --->>

--->> --->>

--->> --->>

--->> --->

--->>

--->>

--->

Guest Eli

Guest Eli

Posted
Posted

Re: Restricting users to login on the server.

 

Thanks for the advice.

I created new GPO for the OU where all TS people reside

Used "start a program on connection" policy, and included there

“%SystemRoot%\system32\calc.exe"

Now whoever is in that OU, when they login into TS thru RDP, they'll see

only Calculator, which blocks access for them to everything else.

And they can still use RemoteApps.

 

 

"Morgan che(MSFT)" wrote:

> Hi,

>

> I am wirting to see how evertything is going?

>

> Have this issue been sovled or you need further assistance? please feel

> free to let me know.

>

> Sincerely

> Morgan Che

> Microsoft Online Support

> Microsoft Global Technical Support Center

>

> Get Secure! - http://www.microsoft.com/security

> =====================================================

> When responding to posts, please "Reply to Group" via your newsreader so

> that others may learn and benefit from your issue.

> =====================================================

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

>

> --------------------

> --->Thread-Topic: Restricting users to login on the server.

> --->thread-index: Acj3AMLcaENo1VURQDOUteSukpdmJw==

> --->X-WBNR-Posting-Host: 207.46.19.197

> --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam>

> --->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com>

> <eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl>

> <043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com>

> <O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl>

> <FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com>

> <jVBu1Pt9IHA.3476@TK2MSFTNGHUB02.phx.gbl>

> --->Subject: Re: Restricting users to login on the server.

> --->Date: Tue, 5 Aug 2008 06:40:02 -0700

> --->Lines: 131

> --->Message-ID: <C0BA6866-B740-4E2A-88DC-8EB6DDAEF8AD@microsoft.com>

> --->MIME-Version: 1.0

> --->Content-Type: text/plain;

> ---> charset="Utf-8"

> --->Content-Transfer-Encoding: 7bit

> --->X-Newsreader: Microsoft CDO for Windows 2000

> --->Content-Class: urn:content-classes:message

> --->Importance: normal

> --->Priority: normal

> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119

> --->Newsgroups: microsoft.public.windows.terminal_services

> --->Path: TK2MSFTNGHUB02.phx.gbl

> --->Xref: TK2MSFTNGHUB02.phx.gbl

> microsoft.public.windows.terminal_services:19680

> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

> --->

> --->i don't want them to use anything else on the server or the server

> itself.

> --->like any other software that is installed, but not published to

> --->remoteapp/webaccess.

> --->or browsing internet, etc.

> --->or saving

> --->

> --->"Morgan che(MSFT)" wrote:

> --->

> --->> Hi,

> --->>

> --->> Thanks for using this newsgroup.

> --->>

> --->> As Jeff' said, we can't prohibit users to login to the server via a

> RDP

> --->> session while allowing them to login via RemoteApp and WebAccess.

> --->>

> --->> You can understand these three methods are just different interfaces

> to

> --->> access resources on Terminal server. Indeed, the three methods use

> the same

> --->> authorization mechanism, the way of establishing connection between

> client

> --->> and Terminal server and require the same permissions to logon to

> Terminal

> --->> server. Moreover, Windows doesn't provide a function that can

> restrict RDP

> --->> access while allowing RemoteApp and WebAccess access.

> --->>

> --->> Could you please inform me why you want to prohibit users to login to

> the

> --->> server via a RDP session while allowing them to login via RemoteApp

> and

> --->> WebAccess? I will check if there is any feasible method to satisfy

> your

> --->> needs.

> --->>

> --->> Thanks.

> --->>

> --->>

> --->> Sincerely

> --->> Morgan Che

> --->> Microsoft Online Support

> --->> Microsoft Global Technical Support Center

> --->>

> --->> Get Secure! - http://www.microsoft.com/security

> --->> =====================================================

> --->> When responding to posts, please "Reply to Group" via your newsreader

> so

> --->> that others may learn and benefit from your issue.

> --->> =====================================================

> --->> This posting is provided "AS IS" with no warranties, and confers no

> rights.

> --->>

> --->>

> --->> --------------------

> --->> --->Thread-Topic: Restricting users to login on the server.

> --->> --->thread-index: Acj2alGkDlhWZ+GbRDuFTZhDMExcaQ==

> --->> --->X-WBNR-Posting-Host: 207.46.19.168

> --->> --->From: =?Utf-8?B?RWxp?= <eli@newsgroup.nospam>

> --->> --->References: <4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com>

> --->> <eQWlE4l9IHA.5684@TK2MSFTNGP05.phx.gbl>

> --->> <043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com>

> --->> <O184ihm9IHA.3544@TK2MSFTNGP06.phx.gbl>

> --->> --->Subject: Re: Restricting users to login on the server.

> --->> --->Date: Mon, 4 Aug 2008 12:43:07 -0700

> --->> --->Lines: 47

> --->> --->Message-ID: <FD9A15F1-B860-4D0F-A4A6-DCA871657696@microsoft.com>

> --->> --->MIME-Version: 1.0

> --->> --->Content-Type: text/plain;

> --->> ---> charset="Utf-8"

> --->> --->Content-Transfer-Encoding: 7bit

> --->> --->X-Newsreader: Microsoft CDO for Windows 2000

> --->> --->Content-Class: urn:content-classes:message

> --->> --->Importance: normal

> --->> --->Priority: normal

> --->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119

> --->> --->Newsgroups: microsoft.public.windows.terminal_services

> --->> --->Path: TK2MSFTNGHUB02.phx.gbl

> --->> --->Xref: TK2MSFTNGHUB02.phx.gbl

> --->> microsoft.public.windows.terminal_services:19658

> --->> --->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149

> --->> --->X-Tomcat-NG: microsoft.public.windows.terminal_services

> --->> --->

> --->> --->let's wait, maybe someone from microsoft will answer it.

> --->> --->

> --->> --->"Jeff Pitsch" wrote:

> --->> --->

> --->> --->> The same as it for citrix or any other TS vendor. It's a very

> simple

> --->> matter

> --->> --->> to lock down the desktop and the advantages of remote apps are

> pretty

> --->> clear

> --->> --->> especially if your planningo n using them. Now I may be wrong

> and

> --->> there may

> --->> --->> be a way of disabling getting to the desktop but I don't think

> there

> --->> is.

> --->> --->>

> --->> --->> Jeff Pitsch

> --->> --->> Microsoft MVP - Terminal Services

> --->> --->>

> --->> --->>

> --->> --->> "Eli" <eli@newsgroup.nospam> wrote in message

> --->> --->> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com...

> --->> --->> > Then what's the point of RemoteApp if one can just login to

> --->> terminal

> --->> --->> > server

> --->> --->> > itself and use applications on it?

> --->> --->> >

> --->> --->> >

> --->> --->> > "Jeff Pitsch" wrote:

> --->> --->> >

> --->> --->> >> I don't think you can. Your best bet is to completely lock

> down

> --->> the

> --->> --->> >> desktop

> --->> --->> >> so that only the start menu and logoff button are available.

> If

> --->> the

> --->> --->> >> users

> --->> --->> >> can't do anything then they won't be tempted to go to the

> desktop.

> --->> This

> --->> --->> >> is

> --->> --->> >> very easy to do by the way with Group Policy.

> --->> --->> >>

> --->> --->> >> Jeff Pitsch

> --->> --->> >> Microsoft MVP - Terminal Services

> --->> --->> >>

> --->> --->> >>

> --->> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message

> --->> --->> >> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com...

> --->> --->> >> > Windows 2008 SP1

> --->> --->> >> > How can I prohibit users to login on the server thru a

> regular

> --->> RDP

> --->> --->> >> > session

> --->> --->> >> > while allowing them to use RemoteApp and WebAccess?

> --->> --->> >> >

> --->> --->> >>

> --->> --->> >>

> --->> --->> >>

> --->> --->>

> --->> --->>

> --->> --->>

> --->> --->

> --->>

> --->>

> --->

>

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Restricting users to login on the server.

 

Eli, you still have to lock down the server!

It's a misunderstanding that configuring a starting application

would keep the users out of the full desktop of the TS!

 

It is very easy to get to the full desktop from within nearly every

application, including Calculator. It's just a matter of time

before your users will stumble it, even if they are not actively

looking for it.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?RWxp?= <eli@newsgroup.nospam> wrote on 18 aug 2008 in

microsoft.public.windows.terminal_services:

> Thanks for the advice.

> I created new GPO for the OU where all TS people reside

> Used "start a program on connection" policy, and included there

> “%SystemRoot%\system32\calc.exe"

> Now whoever is in that OU, when they login into TS thru RDP,

> they'll see only Calculator, which blocks access for them to

> everything else. And they can still use RemoteApps.

>

>

> "Morgan che(MSFT)" wrote:

>

>> Hi,

>>

>> I am wirting to see how evertything is going?

>>

>> Have this issue been sovled or you need further assistance?

>> please feel free to let me know.

>>

>> Sincerely

>> Morgan Che

>> Microsoft Online Support

>> Microsoft Global Technical Support Center

>>

>>

>> --------------------

>> --->i don't want them to use anything else on the server or the

>> server itself.

>> --->like any other software that is installed, but not

>> published to --->remoteapp/webaccess.

>> --->or browsing internet, etc.

>> --->or saving

>> --->

>> --->"Morgan che(MSFT)" wrote:

>> --->

>> --->> Hi,

>> --->>

>> --->> Thanks for using this newsgroup.

>> --->>

>> --->> As Jeff' said, we can't prohibit users to login to the

>> server via a RDP

>> --->> session while allowing them to login via RemoteApp and

>> WebAccess. --->>

>> --->> You can understand these three methods are just different

>> interfaces to

>> --->> access resources on Terminal server. Indeed, the three

>> methods use the same

>> --->> authorization mechanism, the way of establishing

>> connection between client

>> --->> and Terminal server and require the same permissions to

>> logon to Terminal

>> --->> server. Moreover, Windows doesn't provide a function that

>> can restrict RDP

>> --->> access while allowing RemoteApp and WebAccess access.

>> --->>

>> --->> Could you please inform me why you want to prohibit users

>> to login to the

>> --->> server via a RDP session while allowing them to login via

>> RemoteApp and

>> --->> WebAccess? I will check if there is any feasible method

>> to satisfy your

>> --->> needs.

>> --->>

>> --->> Thanks.

>> --->>

>> --->>

>> --->> Sincerely

>> --->> Morgan Che

>> --->> Microsoft Online Support

>> --->> Microsoft Global Technical Support Center

>> --->>

>> --->> --------------------

>> --->> --->Thread-Topic: Restricting users to login on the

>> server. --->> --->thread-index:

>> microsoft.public.windows.terminal_services --->> --->

>> --->> --->let's wait, maybe someone from microsoft will answer

>> it. --->> --->

>> --->> --->"Jeff Pitsch" wrote:

>> --->> --->

>> --->> --->> The same as it for citrix or any other TS vendor.

>> It's a very simple

>> --->> matter

>> --->> --->> to lock down the desktop and the advantages of

>> remote apps are pretty

>> --->> clear

>> --->> --->> especially if your planningo n using them. Now I

>> may be wrong and

>> --->> there may

>> --->> --->> be a way of disabling getting to the desktop but I

>> don't think there

>> --->> is.

>> --->> --->>

>> --->> --->> Jeff Pitsch

>> --->> --->> Microsoft MVP - Terminal Services

>> --->> --->>

>> --->> --->>

>> --->> --->> "Eli" <eli@newsgroup.nospam> wrote in message

>> --->> --->>

>> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com...

>> --->> --->> > Then what's the point of RemoteApp if one can

>> just login to --->> terminal

>> --->> --->> > server

>> --->> --->> > itself and use applications on it?

>> --->> --->> >

>> --->> --->> >

>> --->> --->> > "Jeff Pitsch" wrote:

>> --->> --->> >

>> --->> --->> >> I don't think you can. Your best bet is to

>> completely lock down

>> --->> the

>> --->> --->> >> desktop

>> --->> --->> >> so that only the start menu and logoff button

>> are available.

>> If

>> --->> the

>> --->> --->> >> users

>> --->> --->> >> can't do anything then they won't be tempted to

>> go to the desktop.

>> --->> This

>> --->> --->> >> is

>> --->> --->> >> very easy to do by the way with Group Policy.

>> --->> --->> >>

>> --->> --->> >> Jeff Pitsch

>> --->> --->> >> Microsoft MVP - Terminal Services

>> --->> --->> >>

>> --->> --->> >>

>> --->> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message

>> --->> --->> >>

>> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com...

>> --->> --->> >> > Windows 2008 SP1 --->> --->> >> > How can I

>> prohibit users to login on the server thru a regular

>> --->> RDP

>> --->> --->> >> > session

>> --->> --->> >> > while allowing them to use RemoteApp and

>> WebAccess? --->> --->> >> >

Guest jolteroli

Guest jolteroli

Posted
Posted

Re: Restricting users to login on the server.

 

like a jail without grating. you could set ntfs-acl's so explorer.exe and

cmd.exe execution is denied for regular users. this is simple to setup and

hard to circumvent.

 

-jolt

 

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> schrieb im

Newsbeitrag news:Xns9AFED92973BEEveranoesthemutforsse@207.46.248.16...

> Eli, you still have to lock down the server!

> It's a misunderstanding that configuring a starting application

> would keep the users out of the full desktop of the TS!

>

> It is very easy to get to the full desktop from within nearly every

> application, including Calculator. It's just a matter of time

> before your users will stumble it, even if they are not actively

> looking for it.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> wrote on 18 aug 2008 in

> microsoft.public.windows.terminal_services:

>

>> Thanks for the advice.

>> I created new GPO for the OU where all TS people reside

>> Used "start a program on connection" policy, and included there

>> “%SystemRoot%\system32\calc.exe"

>> Now whoever is in that OU, when they login into TS thru RDP,

>> they'll see only Calculator, which blocks access for them to

>> everything else. And they can still use RemoteApps.

>>

>>

>> "Morgan che(MSFT)" wrote:

>>

>>> Hi,

>>>

>>> I am wirting to see how evertything is going?

>>>

>>> Have this issue been sovled or you need further assistance?

>>> please feel free to let me know.

>>>

>>> Sincerely

>>> Morgan Che

>>> Microsoft Online Support

>>> Microsoft Global Technical Support Center

>>>

>>>

>>> --------------------

>>> --->i don't want them to use anything else on the server or the

>>> server itself.

>>> --->like any other software that is installed, but not

>>> published to --->remoteapp/webaccess.

>>> --->or browsing internet, etc.

>>> --->or saving

>>> --->

>>> --->"Morgan che(MSFT)" wrote:

>>> --->

>>> --->> Hi,

>>> --->>

>>> --->> Thanks for using this newsgroup.

>>> --->>

>>> --->> As Jeff' said, we can't prohibit users to login to the

>>> server via a RDP

>>> --->> session while allowing them to login via RemoteApp and

>>> WebAccess. --->>

>>> --->> You can understand these three methods are just different

>>> interfaces to

>>> --->> access resources on Terminal server. Indeed, the three

>>> methods use the same

>>> --->> authorization mechanism, the way of establishing

>>> connection between client

>>> --->> and Terminal server and require the same permissions to

>>> logon to Terminal

>>> --->> server. Moreover, Windows doesn't provide a function that

>>> can restrict RDP

>>> --->> access while allowing RemoteApp and WebAccess access.

>>> --->>

>>> --->> Could you please inform me why you want to prohibit users

>>> to login to the

>>> --->> server via a RDP session while allowing them to login via

>>> RemoteApp and

>>> --->> WebAccess? I will check if there is any feasible method

>>> to satisfy your

>>> --->> needs.

>>> --->>

>>> --->> Thanks.

>>> --->>

>>> --->>

>>> --->> Sincerely

>>> --->> Morgan Che

>>> --->> Microsoft Online Support

>>> --->> Microsoft Global Technical Support Center

>>> --->>

>>> --->> --------------------

>>> --->> --->Thread-Topic: Restricting users to login on the

>>> server. --->> --->thread-index:

>>> microsoft.public.windows.terminal_services --->> --->

>>> --->> --->let's wait, maybe someone from microsoft will answer

>>> it. --->> --->

>>> --->> --->"Jeff Pitsch" wrote:

>>> --->> --->

>>> --->> --->> The same as it for citrix or any other TS vendor.

>>> It's a very simple

>>> --->> matter

>>> --->> --->> to lock down the desktop and the advantages of

>>> remote apps are pretty

>>> --->> clear

>>> --->> --->> especially if your planningo n using them. Now I

>>> may be wrong and

>>> --->> there may

>>> --->> --->> be a way of disabling getting to the desktop but I

>>> don't think there

>>> --->> is.

>>> --->> --->>

>>> --->> --->> Jeff Pitsch

>>> --->> --->> Microsoft MVP - Terminal Services

>>> --->> --->>

>>> --->> --->>

>>> --->> --->> "Eli" <eli@newsgroup.nospam> wrote in message

>>> --->> --->>

>>> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com...

>>> --->> --->> > Then what's the point of RemoteApp if one can

>>> just login to --->> terminal

>>> --->> --->> > server

>>> --->> --->> > itself and use applications on it?

>>> --->> --->> >

>>> --->> --->> >

>>> --->> --->> > "Jeff Pitsch" wrote:

>>> --->> --->> >

>>> --->> --->> >> I don't think you can. Your best bet is to

>>> completely lock down

>>> --->> the

>>> --->> --->> >> desktop

>>> --->> --->> >> so that only the start menu and logoff button

>>> are available.

>>> If

>>> --->> the

>>> --->> --->> >> users

>>> --->> --->> >> can't do anything then they won't be tempted to

>>> go to the desktop.

>>> --->> This

>>> --->> --->> >> is

>>> --->> --->> >> very easy to do by the way with Group Policy.

>>> --->> --->> >>

>>> --->> --->> >> Jeff Pitsch

>>> --->> --->> >> Microsoft MVP - Terminal Services

>>> --->> --->> >>

>>> --->> --->> >>

>>> --->> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message

>>> --->> --->> >>

>>> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com...

>>> --->> --->> >> > Windows 2008 SP1 --->> --->> >> > How can I

>>> prohibit users to login on the server thru a regular

>>> --->> RDP

>>> --->> --->> >> > session

>>> --->> --->> >> > while allowing them to use RemoteApp and

>>> WebAccess? --->> --->> >> >

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Restricting users to login on the server.

 

Yes, denying explorer.exe would disable the desktop. But you can

still start *any* program from within Calculator.

How is left as an exercise for the reader :-)

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"jolteroli" <jolt1976@gmx.net> wrote on 18 aug 2008 in

microsoft.public.windows.terminal_services:

> like a jail without grating. you could set ntfs-acl's so

> explorer.exe and cmd.exe execution is denied for regular users.

> this is simple to setup and hard to circumvent.

>

> -jolt

>

> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>

> schrieb im Newsbeitrag

> news:Xns9AFED92973BEEveranoesthemutforsse@207.46.248.16...

>> Eli, you still have to lock down the server!

>> It's a misunderstanding that configuring a starting application

>> would keep the users out of the full desktop of the TS!

>>

>> It is very easy to get to the full desktop from within nearly

>> every application, including Calculator. It's just a matter of

>> time before your users will stumble it, even if they are not

>> actively looking for it.

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> wrote on 18 aug 2008 in

>> microsoft.public.windows.terminal_services:

>>

>>> Thanks for the advice.

>>> I created new GPO for the OU where all TS people reside

>>> Used "start a program on connection" policy, and included

>>> there “%SystemRoot%\system32\calc.exe"

>>> Now whoever is in that OU, when they login into TS thru RDP,

>>> they'll see only Calculator, which blocks access for them to

>>> everything else. And they can still use RemoteApps.

>>>

>>>

>>> "Morgan che(MSFT)" wrote:

>>>

>>>> Hi,

>>>>

>>>> I am wirting to see how evertything is going?

>>>>

>>>> Have this issue been sovled or you need further assistance?

>>>> please feel free to let me know.

>>>>

>>>> Sincerely

>>>> Morgan Che

>>>> Microsoft Online Support

>>>> Microsoft Global Technical Support Center

>>>>

>>>>

>>>> --------------------

>>>> --->i don't want them to use anything else on the server or

>>>> the server itself.

>>>> --->like any other software that is installed, but not

>>>> published to --->remoteapp/webaccess.

>>>> --->or browsing internet, etc.

>>>> --->or saving

>>>> --->

>>>> --->"Morgan che(MSFT)" wrote:

>>>> --->

>>>> --->> Hi,

>>>> --->>

>>>> --->> Thanks for using this newsgroup.

>>>> --->>

>>>> --->> As Jeff' said, we can't prohibit users to login to the

>>>> server via a RDP

>>>> --->> session while allowing them to login via RemoteApp and

>>>> WebAccess. --->>

>>>> --->> You can understand these three methods are just

>>>> different interfaces to

>>>> --->> access resources on Terminal server. Indeed, the three

>>>> methods use the same

>>>> --->> authorization mechanism, the way of establishing

>>>> connection between client

>>>> --->> and Terminal server and require the same permissions to

>>>> logon to Terminal

>>>> --->> server. Moreover, Windows doesn't provide a function

>>>> that can restrict RDP

>>>> --->> access while allowing RemoteApp and WebAccess access.

>>>> --->>

>>>> --->> Could you please inform me why you want to prohibit

>>>> users to login to the

>>>> --->> server via a RDP session while allowing them to login

>>>> via RemoteApp and

>>>> --->> WebAccess? I will check if there is any feasible method

>>>> to satisfy your

>>>> --->> needs.

>>>> --->>

>>>> --->> Thanks.

>>>> --->>

>>>> --->>

>>>> --->> Sincerely

>>>> --->> Morgan Che

>>>> --->> Microsoft Online Support

>>>> --->> Microsoft Global Technical Support Center

>>>> --->>

>>>> --->> --------------------

>>>> --->> --->Thread-Topic: Restricting users to login on the

>>>> server. --->> --->thread-index:

>>>> microsoft.public.windows.terminal_services --->> --->

>>>> --->> --->let's wait, maybe someone from microsoft will

>>>> answer it. --->> --->

>>>> --->> --->"Jeff Pitsch" wrote:

>>>> --->> --->

>>>> --->> --->> The same as it for citrix or any other TS vendor.

>>>> It's a very simple

>>>> --->> matter

>>>> --->> --->> to lock down the desktop and the advantages of

>>>> remote apps are pretty

>>>> --->> clear

>>>> --->> --->> especially if your planningo n using them. Now I

>>>> may be wrong and

>>>> --->> there may

>>>> --->> --->> be a way of disabling getting to the desktop but

>>>> I don't think there

>>>> --->> is.

>>>> --->> --->>

>>>> --->> --->> Jeff Pitsch

>>>> --->> --->> Microsoft MVP - Terminal Services

>>>> --->> --->>

>>>> --->> --->>

>>>> --->> --->> "Eli" <eli@newsgroup.nospam> wrote in message

>>>> --->> --->>

>>>> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com...

>>>> --->> --->> > Then what's the point of RemoteApp if one can

>>>> just login to --->> terminal

>>>> --->> --->> > server

>>>> --->> --->> > itself and use applications on it?

>>>> --->> --->> >

>>>> --->> --->> >

>>>> --->> --->> > "Jeff Pitsch" wrote:

>>>> --->> --->> >

>>>> --->> --->> >> I don't think you can. Your best bet is to

>>>> completely lock down

>>>> --->> the

>>>> --->> --->> >> desktop

>>>> --->> --->> >> so that only the start menu and logoff button

>>>> are available.

>>>> If

>>>> --->> the

>>>> --->> --->> >> users

>>>> --->> --->> >> can't do anything then they won't be tempted

>>>> to go to the desktop.

>>>> --->> This

>>>> --->> --->> >> is

>>>> --->> --->> >> very easy to do by the way with Group Policy.

>>>> --->> --->> >>

>>>> --->> --->> >> Jeff Pitsch

>>>> --->> --->> >> Microsoft MVP - Terminal Services

>>>> --->> --->> >>

>>>> --->> --->> >>

>>>> --->> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message

>>>> --->> --->> >>

>>>> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com...

>>>> --->> --->> >> > Windows 2008 SP1 --->> --->> >> > How can I

>>>> prohibit users to login on the server thru a regular

>>>> --->> RDP

>>>> --->> --->> >> > session

>>>> --->> --->> >> > while allowing them to use RemoteApp and

>>>> WebAccess? --->> --->> >> >

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Restricting users to login on the server.

 

As a follow-up: you can use software restriction policies to lock

down your server and really make sure that only approved

applications are used.

 

Using Software Restriction Policies to Protect Against Unauthorized

Software

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstr

plcy.mspx

 

 

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote on

18 aug 2008 in microsoft.public.windows.terminal_services:

> Yes, denying explorer.exe would disable the desktop. But you can

> still start *any* program from within Calculator.

> How is left as an exercise for the reader :-)

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> "jolteroli" <jolt1976@gmx.net> wrote on 18 aug 2008 in

> microsoft.public.windows.terminal_services:

>

>> like a jail without grating. you could set ntfs-acl's so

>> explorer.exe and cmd.exe execution is denied for regular users.

>> this is simple to setup and hard to circumvent.

>>

>> -jolt

>>

>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>

>> schrieb im Newsbeitrag

>> news:Xns9AFED92973BEEveranoesthemutforsse@207.46.248.16...

>>> Eli, you still have to lock down the server!

>>> It's a misunderstanding that configuring a starting application

>>> would keep the users out of the full desktop of the TS!

>>>

>>> It is very easy to get to the full desktop from within nearly

>>> every application, including Calculator. It's just a matter of

>>> time before your users will stumble it, even if they are not

>>> actively looking for it.

>>> _________________________________________________________

>>> Vera Noest

>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>> TS troubleshooting: http://ts.veranoest.net

>>> ___ please respond in newsgroup, NOT by private email ___

>>>

>>> =?Utf-8?B?RWxp?= <eli@newsgroup.nospam> wrote on 18 aug 2008 in

>>> microsoft.public.windows.terminal_services:

>>>

>>>> Thanks for the advice.

>>>> I created new GPO for the OU where all TS people reside

>>>> Used "start a program on connection" policy, and included

>>>> there “%SystemRoot%\system32\calc.exe"

>>>> Now whoever is in that OU, when they login into TS thru RDP,

>>>> they'll see only Calculator, which blocks access for them to

>>>> everything else. And they can still use RemoteApps.

>>>>

>>>>

>>>> "Morgan che(MSFT)" wrote:

>>>>

>>>>> Hi,

>>>>>

>>>>> I am wirting to see how evertything is going?

>>>>>

>>>>> Have this issue been sovled or you need further assistance?

>>>>> please feel free to let me know.

>>>>>

>>>>> Sincerely

>>>>> Morgan Che

>>>>> Microsoft Online Support

>>>>> Microsoft Global Technical Support Center

>>>>>

>>>>>

>>>>> --------------------

>>>>> --->i don't want them to use anything else on the server or

>>>>> the server itself.

>>>>> --->like any other software that is installed, but not

>>>>> published to --->remoteapp/webaccess.

>>>>> --->or browsing internet, etc.

>>>>> --->or saving

>>>>> --->

>>>>> --->"Morgan che(MSFT)" wrote:

>>>>> --->

>>>>> --->> Hi,

>>>>> --->>

>>>>> --->> Thanks for using this newsgroup.

>>>>> --->>

>>>>> --->> As Jeff' said, we can't prohibit users to login to the

>>>>> server via a RDP

>>>>> --->> session while allowing them to login via RemoteApp and

>>>>> WebAccess. --->>

>>>>> --->> You can understand these three methods are just

>>>>> different interfaces to

>>>>> --->> access resources on Terminal server. Indeed, the three

>>>>> methods use the same

>>>>> --->> authorization mechanism, the way of establishing

>>>>> connection between client

>>>>> --->> and Terminal server and require the same permissions to

>>>>> logon to Terminal

>>>>> --->> server. Moreover, Windows doesn't provide a function

>>>>> that can restrict RDP

>>>>> --->> access while allowing RemoteApp and WebAccess access.

>>>>> --->>

>>>>> --->> Could you please inform me why you want to prohibit

>>>>> users to login to the

>>>>> --->> server via a RDP session while allowing them to login

>>>>> via RemoteApp and

>>>>> --->> WebAccess? I will check if there is any feasible method

>>>>> to satisfy your

>>>>> --->> needs.

>>>>> --->>

>>>>> --->> Thanks.

>>>>> --->>

>>>>> --->>

>>>>> --->> Sincerely

>>>>> --->> Morgan Che

>>>>> --->> Microsoft Online Support

>>>>> --->> Microsoft Global Technical Support Center

>>>>> --->>

>>>>> --->> --------------------

>>>>> --->> --->Thread-Topic: Restricting users to login on the

>>>>> server. --->> --->thread-index:

>>>>> microsoft.public.windows.terminal_services --->> --->

>>>>> --->> --->let's wait, maybe someone from microsoft will

>>>>> answer it. --->> --->

>>>>> --->> --->"Jeff Pitsch" wrote:

>>>>> --->> --->

>>>>> --->> --->> The same as it for citrix or any other TS vendor.

>>>>> It's a very simple

>>>>> --->> matter

>>>>> --->> --->> to lock down the desktop and the advantages of

>>>>> remote apps are pretty

>>>>> --->> clear

>>>>> --->> --->> especially if your planningo n using them. Now I

>>>>> may be wrong and

>>>>> --->> there may

>>>>> --->> --->> be a way of disabling getting to the desktop but

>>>>> I don't think there

>>>>> --->> is.

>>>>> --->> --->>

>>>>> --->> --->> Jeff Pitsch

>>>>> --->> --->> Microsoft MVP - Terminal Services

>>>>> --->> --->>

>>>>> --->> --->>

>>>>> --->> --->> "Eli" <eli@newsgroup.nospam> wrote in message

>>>>> --->> --->>

>>>>> news:043D9B3A-4DF3-4639-BC5D-7F79B648D38C@microsoft.com...

>>>>> --->> --->> > Then what's the point of RemoteApp if one can

>>>>> just login to --->> terminal

>>>>> --->> --->> > server

>>>>> --->> --->> > itself and use applications on it?

>>>>> --->> --->> >

>>>>> --->> --->> >

>>>>> --->> --->> > "Jeff Pitsch" wrote:

>>>>> --->> --->> >

>>>>> --->> --->> >> I don't think you can. Your best bet is to

>>>>> completely lock down

>>>>> --->> the

>>>>> --->> --->> >> desktop

>>>>> --->> --->> >> so that only the start menu and logoff button

>>>>> are available.

>>>>> If

>>>>> --->> the

>>>>> --->> --->> >> users

>>>>> --->> --->> >> can't do anything then they won't be tempted

>>>>> to go to the desktop.

>>>>> --->> This

>>>>> --->> --->> >> is

>>>>> --->> --->> >> very easy to do by the way with Group Policy.

>>>>> --->> --->> >>

>>>>> --->> --->> >> Jeff Pitsch

>>>>> --->> --->> >> Microsoft MVP - Terminal Services

>>>>> --->> --->> >>

>>>>> --->> --->> >>

>>>>> --->> --->> >> "Eli" <eli@newsgroup.nospam> wrote in message

>>>>> --->> --->> >>

>>>>> news:4F3D8F86-E968-4F7F-ACDB-E7096A896698@microsoft.com...

>>>>> --->> --->> >> > Windows 2008 SP1 --->> --->> >> > How can I

>>>>> prohibit users to login on the server thru a regular

>>>>> --->> RDP

>>>>> --->> --->> >> > session

>>>>> --->> --->> >> > while allowing them to use RemoteApp and

>>>>> WebAccess? --->> --->> >> >

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Restricting users to login on the server.

 

Ooops! I hate it when Microsoft (or anny other company for that

matter) keep changing their links.

Thanks, jolteroli, I'll update the link on my website!

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

 

"jolteroli" <jolt1976@gmx.net> wrote on 19 aug 2008:

> it's: http://technet.microsoft.com/en-us/library/bb457006.aspx,

> dear Vera.

 Share
Go to topic listing
×
×
  • Create New...