Guest SimeonD Posted August 11, 2008 Posted August 11, 2008 Hi When the user logs onto their PC, the script then logs them onto a Terminal Server session. I'd like to make sure there is nothing on the PC desktop, and only 'Printer' icon on the Start Menu. Any programs should be run via the Terminal Server. Is there a 'best way' to do this? Thanks Simoen
Guest Jeff Pitsch Posted August 11, 2008 Posted August 11, 2008 Re: Restrict PC desktop, but not TS session desktop Group Policy can do this pretty easily. -- Jeff Pitsch Microsoft MVP - Terminal Services "SimeonD" <simeond@nospam.nospam> wrote in message news:uMtSAX5%23IHA.3756@TK2MSFTNGP03.phx.gbl... > Hi > When the user logs onto their PC, the script then logs them onto a > Terminal Server session. I'd like to make sure there is nothing on the PC > desktop, and only 'Printer' icon on the Start Menu. > Any programs should be run via the Terminal Server. > Is there a 'best way' to do this? > Thanks > Simoen >
Guest SimeonD Posted August 11, 2008 Posted August 11, 2008 Re: Restrict PC desktop, but not TS session desktop That is true! But won't that also hide it in the TS session desktop also? Or is there a way to apply this to the PC, but not to the TS? The Policy I'm looking at is in User Configuration\Admin Templates\Start Menu and Taskbar It seems to have all the options I need, but I don't see how to apply it to the PC only. Thanks for your help "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message news:O46%23a55%23IHA.1184@TK2MSFTNGP04.phx.gbl... > Group Policy can do this pretty easily. > > -- > Jeff Pitsch > Microsoft MVP - Terminal Services > > "SimeonD" <simeond@nospam.nospam> wrote in message > news:uMtSAX5%23IHA.3756@TK2MSFTNGP03.phx.gbl... >> Hi >> When the user logs onto their PC, the script then logs them onto a >> Terminal Server session. I'd like to make sure there is nothing on the PC >> desktop, and only 'Printer' icon on the Start Menu. >> Any programs should be run via the Terminal Server. >> Is there a 'best way' to do this? >> Thanks >> Simoen >> > >
Guest Vera Noest [MVP] Posted August 11, 2008 Posted August 11, 2008 Re: Restrict PC desktop, but not TS session desktop You can create a GPO linked to the TS *without* the restrictions, and then configure this GPO to use "loopback processing" with the "Replace" option. That makes sure that your users are not affected by the GPO which locks down their workstation logons. 231287 - Loopback Processing of Group Policy http://support.microsoft.com/?kbid=231287 _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net *----------- Please reply in newsgroup -------------* "SimeonD" <simeond@nospam.nospam> wrote on 11 aug 2008: > That is true! But won't that also hide it in the TS session > desktop also? Or is there a way to apply this to the PC, but not > to the TS? The Policy I'm looking at is in > User Configuration\Admin Templates\Start Menu and Taskbar > It seems to have all the options I need, but I don't see how to > apply it to the PC only. > > Thanks for your help > > > > > "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message > news:O46%23a55%23IHA.1184@TK2MSFTNGP04.phx.gbl... >> Group Policy can do this pretty easily. >> >> -- >> Jeff Pitsch >> Microsoft MVP - Terminal Services >> >> "SimeonD" <simeond@nospam.nospam> wrote in message >> news:uMtSAX5%23IHA.3756@TK2MSFTNGP03.phx.gbl... >>> Hi >>> When the user logs onto their PC, the script then logs them >>> onto a Terminal Server session. I'd like to make sure there is >>> nothing on the PC desktop, and only 'Printer' icon on the >>> Start Menu. Any programs should be run via the Terminal >>> Server. Is there a 'best way' to do this? >>> Thanks >>> Simoen
Guest Jeff Pitsch Posted August 11, 2008 Posted August 11, 2008 Re: Restrict PC desktop, but not TS session desktop Read this: http://www.dabcc.com/blogs/jeff/post/Blast-from-the-Past-Understanding-Group-Policy-in-a-Terminal-Services-Environment that will explain all you need :) -- Jeff Pitsch Microsoft MVP - Terminal Services "SimeonD" <simeond@nospam.nospam> wrote in message news:Oh85vo7%23IHA.3656@TK2MSFTNGP03.phx.gbl... > That is true! But won't that also hide it in the TS session desktop also? > Or is there a way to apply this to the PC, but not to the TS? > The Policy I'm looking at is in > User Configuration\Admin Templates\Start Menu and Taskbar > It seems to have all the options I need, but I don't see how to apply it > to the PC only. > > Thanks for your help > > > > > "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message > news:O46%23a55%23IHA.1184@TK2MSFTNGP04.phx.gbl... >> Group Policy can do this pretty easily. >> >> -- >> Jeff Pitsch >> Microsoft MVP - Terminal Services >> >> "SimeonD" <simeond@nospam.nospam> wrote in message >> news:uMtSAX5%23IHA.3756@TK2MSFTNGP03.phx.gbl... >>> Hi >>> When the user logs onto their PC, the script then logs them onto a >>> Terminal Server session. I'd like to make sure there is nothing on the >>> PC desktop, and only 'Printer' icon on the Start Menu. >>> Any programs should be run via the Terminal Server. >>> Is there a 'best way' to do this? >>> Thanks >>> Simoen >>> >> >> > >
Guest ThomasT. Posted August 11, 2008 Posted August 11, 2008 Re: Restrict PC desktop, but not TS session desktop Hi, In think you can replace the Windows Shell on the PC with a simple program that display only the program that user has permission to run Thomas T. "SimeonD" <simeond@nospam.nospam> wrote in message news:uMtSAX5%23IHA.3756@TK2MSFTNGP03.phx.gbl... > Hi > When the user logs onto their PC, the script then logs them onto a > Terminal Server session. I'd like to make sure there is nothing on the PC > desktop, and only 'Printer' icon on the Start Menu. > Any programs should be run via the Terminal Server. > Is there a 'best way' to do this? > Thanks > Simoen >
Guest SimeonD Posted August 11, 2008 Posted August 11, 2008 Re: Restrict PC desktop, but not TS session desktop It might, if I could view the pictures. :) They seem to be just .png files - is there an expanded version somewhere? "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message news:uImXw37%23IHA.1016@TK2MSFTNGP03.phx.gbl... > Read this: > http://www.dabcc.com/blogs/jeff/post/Blast-from-the-Past-Understanding-Group-Policy-in-a-Terminal-Services-Environment > > that will explain all you need :) > > -- > Jeff Pitsch > Microsoft MVP - Terminal Services > > "SimeonD" <simeond@nospam.nospam> wrote in message > news:Oh85vo7%23IHA.3656@TK2MSFTNGP03.phx.gbl... >> That is true! But won't that also hide it in the TS session desktop also? >> Or is there a way to apply this to the PC, but not to the TS? >> The Policy I'm looking at is in >> User Configuration\Admin Templates\Start Menu and Taskbar >> It seems to have all the options I need, but I don't see how to apply it >> to the PC only. >> >> Thanks for your help >> >> >> >> >> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message >> news:O46%23a55%23IHA.1184@TK2MSFTNGP04.phx.gbl... >>> Group Policy can do this pretty easily. >>> >>> -- >>> Jeff Pitsch >>> Microsoft MVP - Terminal Services >>> >>> "SimeonD" <simeond@nospam.nospam> wrote in message >>> news:uMtSAX5%23IHA.3756@TK2MSFTNGP03.phx.gbl... >>>> Hi >>>> When the user logs onto their PC, the script then logs them onto a >>>> Terminal Server session. I'd like to make sure there is nothing on the >>>> PC desktop, and only 'Printer' icon on the Start Menu. >>>> Any programs should be run via the Terminal Server. >>>> Is there a 'best way' to do this? >>>> Thanks >>>> Simoen >>>> >>> >>> >> >> > >
Guest SimeonD Posted August 11, 2008 Posted August 11, 2008 Re: Restrict PC desktop, but not TS session desktop To get this clear in my head: The way my AD is configured is as follows, with all users in an Department. Lets call it Dept1 for this example. Each Dept has a GPO. There is a GPO for the top level Terminal Servers group. So something like: Departments Dept1 Dept2 Dept3 Terminal Servers Term01 Term02 Term03 Term04 At the moment, the Dept1 GPO has all the settings for MS Office, and some other programs The TS GPO has settings for the Terminal Server, including MSI installs and some other stuff. If I use loopback, I should 1) Move the MS Office settings from Dept1 to the TS GPO. 2) In the Dept1 GPO, enable the options to restrict the desktop and Start Menu 3) In the TS GPO, loopback processing" with the "Replace" option. Am I right in this? I think I'm right on 2 + 3 above, its which settings I have to move that I'm unsure of. Thanks Simeon "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message news:Xns9AF7A65989496veranoesthemutforsse@207.46.248.16... > You can create a GPO linked to the TS *without* the restrictions, > and then configure this GPO to use "loopback processing" with the > "Replace" option. > That makes sure that your users are not affected by the GPO which > locks down their workstation logons. > > 231287 - Loopback Processing of Group Policy > http://support.microsoft.com/?kbid=231287 > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > *----------- Please reply in newsgroup -------------* > > > "SimeonD" <simeond@nospam.nospam> wrote on 11 aug 2008: > >> That is true! But won't that also hide it in the TS session >> desktop also? Or is there a way to apply this to the PC, but not >> to the TS? The Policy I'm looking at is in >> User Configuration\Admin Templates\Start Menu and Taskbar >> It seems to have all the options I need, but I don't see how to >> apply it to the PC only. >> >> Thanks for your help >> >> >> >> >> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message >> news:O46%23a55%23IHA.1184@TK2MSFTNGP04.phx.gbl... >>> Group Policy can do this pretty easily. >>> >>> -- >>> Jeff Pitsch >>> Microsoft MVP - Terminal Services >>> >>> "SimeonD" <simeond@nospam.nospam> wrote in message >>> news:uMtSAX5%23IHA.3756@TK2MSFTNGP03.phx.gbl... >>>> Hi >>>> When the user logs onto their PC, the script then logs them >>>> onto a Terminal Server session. I'd like to make sure there is >>>> nothing on the PC desktop, and only 'Printer' icon on the >>>> Start Menu. Any programs should be run via the Terminal >>>> Server. Is there a 'best way' to do this? >>>> Thanks >>>> Simoen
Guest Jeff Pitsch Posted August 11, 2008 Posted August 11, 2008 Re: Restrict PC desktop, but not TS session desktop The article should be self explanatory without the pics. The pics enhance but there is nothing in them that are critical or isn't covered in the article. -- Jeff Pitsch Microsoft MVP - Terminal Services "SimeonD" <simeond@nospam.nospam> wrote in message news:eU604R8%23IHA.5192@TK2MSFTNGP04.phx.gbl... > It might, if I could view the pictures. :) > They seem to be just .png files - is there an expanded version somewhere? > > > > "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message > news:uImXw37%23IHA.1016@TK2MSFTNGP03.phx.gbl... >> Read this: >> http://www.dabcc.com/blogs/jeff/post/Blast-from-the-Past-Understanding-Group-Policy-in-a-Terminal-Services-Environment >> >> that will explain all you need :) >> >> -- >> Jeff Pitsch >> Microsoft MVP - Terminal Services >> >> "SimeonD" <simeond@nospam.nospam> wrote in message >> news:Oh85vo7%23IHA.3656@TK2MSFTNGP03.phx.gbl... >>> That is true! But won't that also hide it in the TS session desktop >>> also? >>> Or is there a way to apply this to the PC, but not to the TS? >>> The Policy I'm looking at is in >>> User Configuration\Admin Templates\Start Menu and Taskbar >>> It seems to have all the options I need, but I don't see how to apply it >>> to the PC only. >>> >>> Thanks for your help >>> >>> >>> >>> >>> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message >>> news:O46%23a55%23IHA.1184@TK2MSFTNGP04.phx.gbl... >>>> Group Policy can do this pretty easily. >>>> >>>> -- >>>> Jeff Pitsch >>>> Microsoft MVP - Terminal Services >>>> >>>> "SimeonD" <simeond@nospam.nospam> wrote in message >>>> news:uMtSAX5%23IHA.3756@TK2MSFTNGP03.phx.gbl... >>>>> Hi >>>>> When the user logs onto their PC, the script then logs them onto a >>>>> Terminal Server session. I'd like to make sure there is nothing on the >>>>> PC desktop, and only 'Printer' icon on the Start Menu. >>>>> Any programs should be run via the Terminal Server. >>>>> Is there a 'best way' to do this? >>>>> Thanks >>>>> Simoen >>>>> >>>> >>>> >>> >>> >> >> > >
Guest ThomasT. Posted August 11, 2008 Posted August 11, 2008 Re: Restrict PC desktop, but not TS session desktop This key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell "ThomasT." <ThomasT@nospam.nospam> wrote in message news:%23Z7%23%23B8%23IHA.3756@TK2MSFTNGP03.phx.gbl... > Hi, > In think you can replace the Windows Shell on the PC with a simple program > that display > only the program that user has permission to run > > Thomas T. > > "SimeonD" <simeond@nospam.nospam> wrote in message > news:uMtSAX5%23IHA.3756@TK2MSFTNGP03.phx.gbl... >> Hi >> When the user logs onto their PC, the script then logs them onto a >> Terminal Server session. I'd like to make sure there is nothing on the PC >> desktop, and only 'Printer' icon on the Start Menu. >> Any programs should be run via the Terminal Server. >> Is there a 'best way' to do this? >> Thanks >> Simoen >> > >
Guest Vera Noest [MVP] Posted August 11, 2008 Posted August 11, 2008 Re: Restrict PC desktop, but not TS session desktop Yes, that's correct, Simeon. When users log on to their PCs, they are affected by the Computer settings in any policies that apply to their PCs (like domain wide polices) + the User settings in the GPO linked to the Department OU. This is the normal aplication of GPOs. So you can restrict them in these GPOs. When users then connect to the TS (which has a GPO including the loopback processing setting), they are affected by the Computer settings *AND* the User settings from the GPO linked to the TS OU. So here you configure Office and whatever other settings you want on the TS, both Computer and User Configuration. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ "SimeonD" <simeond@nospam.nospam> wrote on 11 aug 2008 in microsoft.public.windows.terminal_services: > To get this clear in my head: > The way my AD is configured is as follows, with all users in an > Department. Lets call it Dept1 for this example. Each Dept has a > GPO. There is a GPO for the top level Terminal Servers group. > So something like: > > Departments > Dept1 > Dept2 > Dept3 > Terminal Servers > Term01 > Term02 > Term03 > Term04 > > At the moment, the Dept1 GPO has all the settings for MS Office, > and some other programs > The TS GPO has settings for the Terminal Server, including MSI > installs and some other stuff. > > If I use loopback, I should > 1) Move the MS Office settings from Dept1 to the TS GPO. > 2) In the Dept1 GPO, enable the options to restrict the > desktop and > Start Menu > 3) In the TS GPO, loopback processing" with the "Replace" > option. > > Am I right in this? I think I'm right on 2 + 3 above, its which > settings I have to move that I'm unsure of. > > Thanks > Simeon > > > "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote > in message > news:Xns9AF7A65989496veranoesthemutforsse@207.46.248.16... >> You can create a GPO linked to the TS *without* the >> restrictions, and then configure this GPO to use "loopback >> processing" with the "Replace" option. >> That makes sure that your users are not affected by the GPO >> which locks down their workstation logons. >> >> 231287 - Loopback Processing of Group Policy >> http://support.microsoft.com/?kbid=231287 >> >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> *----------- Please reply in newsgroup -------------* >> >> >> "SimeonD" <simeond@nospam.nospam> wrote on 11 aug 2008: >> >>> That is true! But won't that also hide it in the TS session >>> desktop also? Or is there a way to apply this to the PC, but >>> not to the TS? The Policy I'm looking at is in >>> User Configuration\Admin Templates\Start Menu and Taskbar >>> It seems to have all the options I need, but I don't see how >>> to apply it to the PC only. >>> >>> Thanks for your help >>> >>> >>> >>> >>> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message >>> news:O46%23a55%23IHA.1184@TK2MSFTNGP04.phx.gbl... >>>> Group Policy can do this pretty easily. >>>> >>>> -- >>>> Jeff Pitsch >>>> Microsoft MVP - Terminal Services >>>> >>>> "SimeonD" <simeond@nospam.nospam> wrote in message >>>> news:uMtSAX5%23IHA.3756@TK2MSFTNGP03.phx.gbl... >>>>> Hi >>>>> When the user logs onto their PC, the script then logs them >>>>> onto a Terminal Server session. I'd like to make sure there >>>>> is nothing on the PC desktop, and only 'Printer' icon on the >>>>> Start Menu. Any programs should be run via the Terminal >>>>> Server. Is there a 'best way' to do this? >>>>> Thanks >>>>> Simoen
Guest SimeonD Posted August 12, 2008 Posted August 12, 2008 Re: Restrict PC desktop, but not TS session desktop Thanks, I think I have what I need now. Thats a good article, you could learn a lot from the author! :) "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message news:%235mzRP9%23IHA.4780@TK2MSFTNGP05.phx.gbl... > The article should be self explanatory without the pics. The pics enhance > but there is nothing in them that are critical or isn't covered in the > article. > > -- > Jeff Pitsch > Microsoft MVP - Terminal Services > > "SimeonD" <simeond@nospam.nospam> wrote in message > news:eU604R8%23IHA.5192@TK2MSFTNGP04.phx.gbl... >> It might, if I could view the pictures. :) >> They seem to be just .png files - is there an expanded version somewhere? >> >> >> >> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message >> news:uImXw37%23IHA.1016@TK2MSFTNGP03.phx.gbl... >>> Read this: >>> http://www.dabcc.com/blogs/jeff/post/Blast-from-the-Past-Understanding-Group-Policy-in-a-Terminal-Services-Environment >>> >>> that will explain all you need :) >>> >>> -- >>> Jeff Pitsch >>> Microsoft MVP - Terminal Services >>> >>> "SimeonD" <simeond@nospam.nospam> wrote in message >>> news:Oh85vo7%23IHA.3656@TK2MSFTNGP03.phx.gbl... >>>> That is true! But won't that also hide it in the TS session desktop >>>> also? >>>> Or is there a way to apply this to the PC, but not to the TS? >>>> The Policy I'm looking at is in >>>> User Configuration\Admin Templates\Start Menu and Taskbar >>>> It seems to have all the options I need, but I don't see how to apply >>>> it to the PC only. >>>> >>>> Thanks for your help >>>> >>>> >>>> >>>> >>>> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message >>>> news:O46%23a55%23IHA.1184@TK2MSFTNGP04.phx.gbl... >>>>> Group Policy can do this pretty easily. >>>>> >>>>> -- >>>>> Jeff Pitsch >>>>> Microsoft MVP - Terminal Services >>>>> >>>>> "SimeonD" <simeond@nospam.nospam> wrote in message >>>>> news:uMtSAX5%23IHA.3756@TK2MSFTNGP03.phx.gbl... >>>>>> Hi >>>>>> When the user logs onto their PC, the script then logs them onto a >>>>>> Terminal Server session. I'd like to make sure there is nothing on >>>>>> the PC desktop, and only 'Printer' icon on the Start Menu. >>>>>> Any programs should be run via the Terminal Server. >>>>>> Is there a 'best way' to do this? >>>>>> Thanks >>>>>> Simoen >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >
Guest SimeonD Posted August 12, 2008 Posted August 12, 2008 Re: Restrict PC desktop, but not TS session desktop Thanks, I'll go with Group Policy in this case, but thats handy to know. "ThomasT." <ThomasT@nospam.nospam> wrote in message news:OPMuUk9%23IHA.1036@TK2MSFTNGP03.phx.gbl... > This key: > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows > NT\CurrentVersion\Winlogon\Shell > > > "ThomasT." <ThomasT@nospam.nospam> wrote in message > news:%23Z7%23%23B8%23IHA.3756@TK2MSFTNGP03.phx.gbl... >> Hi, >> In think you can replace the Windows Shell on the PC with a simple >> program that display >> only the program that user has permission to run >> >> Thomas T. >> >> "SimeonD" <simeond@nospam.nospam> wrote in message >> news:uMtSAX5%23IHA.3756@TK2MSFTNGP03.phx.gbl... >>> Hi >>> When the user logs onto their PC, the script then logs them onto a >>> Terminal Server session. I'd like to make sure there is nothing on the >>> PC desktop, and only 'Printer' icon on the Start Menu. >>> Any programs should be run via the Terminal Server. >>> Is there a 'best way' to do this? >>> Thanks >>> Simoen >>> >> >> > >
Recommended Posts