Guest F. David del Campo Hill Posted August 21, 2007 Posted August 21, 2007 Hi all, I have a Windows Server 2003 R2 configured as a standalone Terminal Services server, and a few Windows XP Professional desktops part of an Active Directory domain. I want to create an Active Directory account that users can log in to in the desktops, but that will automatically open a Remote Desktop session to the Terminal Services server (they will then log in to the server using a non-Active Directory account). The account must NOT allow users to do anything on the desktops save automatically opening the RD session, and when the users disconnect or log out of the RD session, the desktops must log out automatically from the Active Directory account as well. 1. I have found that you can change the Windows shell by editing the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell registry value, but how do you change the shell for one user only? 2. Also, how do you make sure the user can only run mstsc.exe and cannot use Ctrl+Alt+Del (or other special key combinations) to bypass the shell? 3. And lastly, how to make the local desktop log out automatically when the shell is terminated? Thank you for your help.
Guest Jeff Pitsch Posted August 21, 2007 Posted August 21, 2007 Re: Terminal Services Kiosk Pretty much everything you want to do can be configured through Group Policy. What are you planning on replacing the shell with? Why are you trying to replace the shell? You will want to start investigating GPO's. also how are you expecting users to terminate the shell? Why not simply lock down the workstations as is? Jeff Pitsch Microsoft MVP - Terminal Server Citrix Technology Professional Provision Networks VIP Forums not enough? Get support from the experts at your business http://jeffpitschconsulting.com F. David del Campo Hill wrote: > Hi all, > > I have a Windows Server 2003 R2 configured as a standalone Terminal Services > server, and a few Windows XP Professional desktops part of an Active > Directory domain. > > I want to create an Active Directory account that users can log in to in the > desktops, but that will automatically open a Remote Desktop session to the > Terminal Services server (they will then log in to the server using a > non-Active Directory account). The account must NOT allow users to do > anything on the desktops save automatically opening the RD session, and when > the users disconnect or log out of the RD session, the desktops must log out > automatically from the Active Directory account as well. > > 1. I have found that you can change the Windows shell by editing the > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows > NT\CurrentVersion\Winlogon\Shell registry value, but how do you change the > shell for one user only? > > 2. Also, how do you make sure the user can only run mstsc.exe and cannot use > Ctrl+Alt+Del (or other special key combinations) to bypass the shell? > > 3. And lastly, how to make the local desktop log out automatically when the > shell is terminated? > > Thank you for your help.
Guest F. David del Campo Hill Posted August 21, 2007 Posted August 21, 2007 Re: Terminal Services Kiosk Jeff, > Pretty much everything you want to do can be configured through Group > Policy. Remember that the Terminal Services server is not part of an Active Directory domain, only the desktops. Which group policies are you refering to? > What are you planning on replacing the shell with? A Remote Desktop session to the Terminal Services server: mstsc /v:IPAddress /f > Why are you trying to replace the shell? As I explained, I need an account that will open RD the moment it logs in and will only show RD on the full screen; since this is similar to what people do for Internet Explorer kiosks, I thought to do it similarly. Is there a better way? > You will want to start investigating GPO's. Only for the desktops; the TS server cannot have GPOs applied. > also how are you expecting users to terminate the shell? That is one of my questions: how to make the account log out when the RD session is logged out or terminated. > Why not simply lock down the workstations as is? The desktops are going to be used by other accounts which do not connect to the TS server, so leaving the desktops in such a state is not possible. In short, I am trying to allow users to use their Windows desktop as a thin client for a TS server by logging in to a certain account.
Guest Jeff Pitsch Posted August 21, 2007 Posted August 21, 2007 Re: Terminal Services Kiosk F. David del Campo Hill wrote: > Jeff, > >> Pretty much everything you want to do can be configured through Group >> Policy. > > Remember that the Terminal Services server is not part of an Active > Directory domain, only the desktops. Which group policies are you refering to? Your going to have a difficult time at best to lockdown the TS box so they can't do anything. It's quite possible but difficult. There are way to many settings to list them off one by one on how to lock down a server. You can start by using this (remember you can many of these through local policy as well): > >> What are you planning on replacing the shell with? > > A Remote Desktop session to the Terminal Services server: mstsc /v:IPAddress > /f You best bet, again, is to use Group Policy on the workstations to configure a very locked down environment for the particular users. You have AD for the workstations, it's a very powerful tool, don't ignore it. Use it. > >> Why are you trying to replace the shell? > > As I explained, I need an account that will open RD the moment it logs in > and will only show RD on the full screen; since this is similar to what > people do for Internet Explorer kiosks, I thought to do it similarly. Is > there a better way? yes again, a locked down environment using GPO. > >> You will want to start investigating GPO's. > > Only for the desktops; the TS server cannot have GPOs applied. > >> also how are you expecting users to terminate the shell? > > That is one of my questions: how to make the account log out when the RD > session is logged out or terminated. No problem at all, you give them the log out button on the locked down desktop. > >> Why not simply lock down the workstations as is? > > The desktops are going to be used by other accounts which do not connect to > the TS server, so leaving the desktops in such a state is not possible. > > In short, I am trying to allow users to use their Windows desktop as a thin > client for a TS server by logging in to a certain account. I'm not sure you understand how GPO's work. they can be applied based on users. So one user logs in to the workstation they get one set of settings, another user logs in they get another set. Jeff Pitsch Microsoft MVP - Terminal Server Citrix Technology Professional Provision Networks VIP Forums not enough? Get support from the experts at your business http://jeffpitschconsulting.com
Guest F. David del Campo Hill Posted August 21, 2007 Posted August 21, 2007 Re: Terminal Services Kiosk Jeff, > Your going to have a difficult time at best to lockdown the TS box so > they can't do anything. It's quite possible but difficult. There are > way to many settings to list them off one by one on how to lock down a > server. You can start by using this (remember you can many of these > through local policy as well): No, the locked-down account is the Active Directory account in the desktops, not the local accounts in the TS server. I want them not to be able to do anything in the desktops apart from running the RD session; in the TS server they can do what they want: its theirs. > >> Why are you trying to replace the shell? > > As I explained, I need an account that will open RD the moment it logs in > > and will only show RD on the full screen; since this is similar to what > > people do for Internet Explorer kiosks, I thought to do it similarly. Is > > there a better way? > yes again, a locked down environment using GPO. But how? Which GPOs stop users from being able to start other programs or kill the RD session? Specifics please. > No problem at all, you give them the log out button on the locked down > desktop. No, there is no explorer running: so there will be no local Log Out button for them to press, no Start menu... no nothing save the RD session. > > In short, I am trying to allow users to use their Windows desktop as a thin > > client for a TS server by logging in to a certain account. > I'm not sure you understand how GPO's work. they can be applied based > on users. So one user logs in to the workstation they get one set of > settings, another user logs in they get another set. I know, but what I am looking for is for someone to tell me which GPOs can be used to stop a user from running anything but an executable of my choosing, and how to make the termination of that executable force a log out on the user's session.
Guest Vera Noest [MVP] Posted August 22, 2007 Posted August 22, 2007 Re: Terminal Services Kiosk comments inline =?Utf-8?B?Ri4gRGF2aWQgZGVsIENhbXBvIEhpbGw=?= <FDaviddelCampoHill@discussions.microsoft.com> wrote on 21 aug 2007 in microsoft.public.windows.terminal_services: > Jeff, > >> Your going to have a difficult time at best to lockdown the TS >> box so they can't do anything. It's quite possible but >> difficult. There are way to many settings to list them off one >> by one on how to lock down a server. You can start by using >> this (remember you can many of these through local policy as >> well): > > No, the locked-down account is the Active Directory account in > the desktops, not the local accounts in the TS server. I want > them not to be able to do anything in the desktops apart from > running the RD session; So you want to turn your clients into software thin clients, is that correct? Patrick Rouse lists a number of solutions for that, like SimplyRDP and others: http://www.sessioncomputing.com/thin-clients.htm > in the TS server they can do what they want: its theirs. If taken literally, I think that you will notice that this will render the TS unusable in a short period of time. Even if you don't lock it down to the full extend, you will still need to limit users' ability to install software, printer drivers and so on. >> >> Why are you trying to replace the shell? >> > As I explained, I need an account that will open RD the >> > moment it logs in and will only show RD on the full screen; >> > since this is similar to what people do for Internet Explorer >> > kiosks, I thought to do it similarly. Is there a better way? >> yes again, a locked down environment using GPO. > > But how? Which GPOs stop users from being able to start other > programs or kill the RD session? Specifics please. Software Restriction Policies would do this. Only allow mstsc.exe, restrict all other executables. >> No problem at all, you give them the log out button on the >> locked down desktop. > > No, there is no explorer running: so there will be no local Log > Out button for them to press, no Start menu... no nothing save > the RD session. > >> > In short, I am trying to allow users to use their Windows >> > desktop as a thin client for a TS server by logging in to a >> > certain account. >> I'm not sure you understand how GPO's work. they can be >> applied based on users. So one user logs in to the workstation >> they get one set of settings, another user logs in they get >> another set. > > I know, but what I am looking for is for someone to tell me > which GPOs can be used to stop a user from running anything but > an executable of my choosing, and how to make the termination of > that executable force a log out on the user's session. Can't help you with the logout problem, I'm afraid. And how are you going to handle Ctrl-Alt-Del? _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___
Recommended Posts