Jump to content

Restrict to 1 program

Guest Joe Letter

By Guest Joe Letter
in Windows NT Server

 Share

Recommended Posts

Guest Joe Letter

Guest Joe Letter

Posted
Posted

Hello,

I have a win2k3 server setup as a terminal server. I have one

application I would like the users to have access to. I've heard that it

is possible to restrict TS so that an application starts automatically when

the users login. They only have access to that program during the session

and if they close the program, the TS session ends. How can this be

done? Is there something step-by-step I could follow? Also, how can the be

done so that I can still login remotely with the admin account and not have

this restriction on my account.

 

 

Thanks much!

Joe.

  • Replies 9
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Restrict to 1 program

 

You can define the Starting Application in several ways.

Easiest is to do this in a Group Policy. You'll find the setting

here:

 

User Configuration - Administrative templates - Windows Components

- Terminal Services

"Start a program on connection"

 

Since this is a User Configuration setting, you'll also need to

configure loopback processing of the GPO:

 

Computer Configuration - Administrative Templates - System - Group

Policy

"User Group Policy loopback processing mode" - "Replace"

 

And then use security filtering of the GPO to make sure that it

doesn't apply to Administrators:

 

816100 - How To Prevent Domain Group Policies from Applying to

Administrator Accounts and Selected Users in Windows Server 2003

http://support.microsoft.com/?kbid=816100

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"Joe Letter" <nojunk@nojunk.com> wrote on 29 dec 2007 in

microsoft.public.windows.terminal_services:

> Hello,

> I have a win2k3 server setup as a terminal server.

> I have one

> application I would like the users to have access to. I've

> heard that it is possible to restrict TS so that an application

> starts automatically when the users login. They only have

> access to that program during the session and if they close the

> program, the TS session ends. How can this be done? Is

> there something step-by-step I could follow? Also, how can the

> be done so that I can still login remotely with the admin

> account and not have this restriction on my account.

>

>

> Thanks much!

> Joe.

Guest Joe Letter

Guest Joe Letter

Posted
Posted

Re: Restrict to 1 program

 

Thanks for your help.

 

I have a few followup questions:

 

1. Will this have the affect of only 1 program opening and ts automatically

quitting if they close that app?

2. will this apply to the domain or just the one server? I would want it to

apply to just the one server.

3. If I didn't want to use a group policy, is there another way? I just am

not very familiar with GP's

 

Thanks again a million,

joe

 

 

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message

news:Xns9A1592839F598veranoesthemutforsse@207.46.248.16...

> You can define the Starting Application in several ways.

> Easiest is to do this in a Group Policy. You'll find the setting

> here:

>

> User Configuration - Administrative templates - Windows Components

> - Terminal Services

> "Start a program on connection"

>

> Since this is a User Configuration setting, you'll also need to

> configure loopback processing of the GPO:

>

> Computer Configuration - Administrative Templates - System - Group

> Policy

> "User Group Policy loopback processing mode" - "Replace"

>

> And then use security filtering of the GPO to make sure that it

> doesn't apply to Administrators:

>

> 816100 - How To Prevent Domain Group Policies from Applying to

> Administrator Accounts and Selected Users in Windows Server 2003

> http://support.microsoft.com/?kbid=816100

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> "Joe Letter" <nojunk@nojunk.com> wrote on 29 dec 2007 in

> microsoft.public.windows.terminal_services:

>

>> Hello,

>> I have a win2k3 server setup as a terminal server.

>> I have one

>> application I would like the users to have access to. I've

>> heard that it is possible to restrict TS so that an application

>> starts automatically when the users login. They only have

>> access to that program during the session and if they close the

>> program, the TS session ends. How can this be done? Is

>> there something step-by-step I could follow? Also, how can the

>> be done so that I can still login remotely with the admin

>> account and not have this restriction on my account.

>>

>>

>> Thanks much!

>> Joe.

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Restrict to 1 program

 

1. Yes.

2. Depends on to which OU you link the GPO. You would link this GPO

to the OU which contains the TS account, so that it would only

apply to the TS. But let's forget about GPOs for now.

3. Sure. On the Terminal Server, go to Start menu - Administrative

tools - Terminal Server Configuration - double-click rdp-tcp

connection - it's in one of the tabs there, I believe it's called

session settings, but can't check at the moment.

The disadvantage with doing it on the server itself is that it will

apply to everyone, and that includes Administrators. With GPO's you

can use security filtering to only apply such settings to specific

user groups. The only way for you as Administrator to connect to

the server and not run the starting application is when you connect

to the console session, with mstc 7console. But that leaves you

with just one session. If that gets disconnected and you can't

reconnect, you're out of luck.

4. Try to find some time to read up on GPO's! It will save you time

in the long run, and you will be able to do things that you can't

do properly in any other way.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"Joe Letter" <nojunk@nojunk.com> wrote on 04 jan 2008 in

microsoft.public.windows.terminal_services:

> Thanks for your help.

>

> I have a few followup questions:

>

> 1. Will this have the affect of only 1 program opening and ts

> automatically quitting if they close that app?

> 2. will this apply to the domain or just the one server? I would

> want it to apply to just the one server.

> 3. If I didn't want to use a group policy, is there another way?

> I just am not very familiar with GP's

>

> Thanks again a million,

> joe

>

>

> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote

> in message

> news:Xns9A1592839F598veranoesthemutforsse@207.46.248.16...

>> You can define the Starting Application in several ways.

>> Easiest is to do this in a Group Policy. You'll find the

>> setting here:

>>

>> User Configuration - Administrative templates - Windows

>> Components - Terminal Services

>> "Start a program on connection"

>>

>> Since this is a User Configuration setting, you'll also need to

>> configure loopback processing of the GPO:

>>

>> Computer Configuration - Administrative Templates - System -

>> Group Policy

>> "User Group Policy loopback processing mode" - "Replace"

>>

>> And then use security filtering of the GPO to make sure that it

>> doesn't apply to Administrators:

>>

>> 816100 - How To Prevent Domain Group Policies from Applying to

>> Administrator Accounts and Selected Users in Windows Server

>> 2003 http://support.microsoft.com/?kbid=816100

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> "Joe Letter" <nojunk@nojunk.com> wrote on 29 dec 2007 in

>> microsoft.public.windows.terminal_services:

>>

>>> Hello,

>>> I have a win2k3 server setup as a terminal server.

>>> I have one

>>> application I would like the users to have access to. I've

>>> heard that it is possible to restrict TS so that an

>>> application starts automatically when the users login. They

>>> only have access to that program during the session and if

>>> they close the program, the TS session ends. How can this

>>> be done? Is there something step-by-step I could follow?

>>> Also, how can the be done so that I can still login remotely

>>> with the admin account and not have this restriction on my

>>> account.

>>>

>>>

>>> Thanks much!

>>> Joe.

Guest Joe Letter

Guest Joe Letter

Posted
Posted

Re: Restrict to 1 program

 

Vera,

Wow, great . Thanks for the info. I will look into learning more

about gpo's. I think I read somewhere on my last google search that you

can just apply a gpo to the local security policy on a ts server... I might

look back at that. Thanks again for all the advice.

 

If I were to try to change these setting remotely (gpo changes maybe too)

and I lock myself out, I can always do a mstsc -v:servername /console to get

in right?

 

Thanks a ton!

-Joe.

 

 

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message

news:Xns9A1BE08D3752Averanoesthemutforsse@207.46.248.16...

> 1. Yes.

> 2. Depends on to which OU you link the GPO. You would link this GPO

> to the OU which contains the TS account, so that it would only

> apply to the TS. But let's forget about GPOs for now.

> 3. Sure. On the Terminal Server, go to Start menu - Administrative

> tools - Terminal Server Configuration - double-click rdp-tcp

> connection - it's in one of the tabs there, I believe it's called

> session settings, but can't check at the moment.

> The disadvantage with doing it on the server itself is that it will

> apply to everyone, and that includes Administrators. With GPO's you

> can use security filtering to only apply such settings to specific

> user groups. The only way for you as Administrator to connect to

> the server and not run the starting application is when you connect

> to the console session, with mstc 7console. But that leaves you

> with just one session. If that gets disconnected and you can't

> reconnect, you're out of luck.

> 4. Try to find some time to read up on GPO's! It will save you time

> in the long run, and you will be able to do things that you can't

> do properly in any other way.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> "Joe Letter" <nojunk@nojunk.com> wrote on 04 jan 2008 in

> microsoft.public.windows.terminal_services:

>

>> Thanks for your help.

>>

>> I have a few followup questions:

>>

>> 1. Will this have the affect of only 1 program opening and ts

>> automatically quitting if they close that app?

>> 2. will this apply to the domain or just the one server? I would

>> want it to apply to just the one server.

>> 3. If I didn't want to use a group policy, is there another way?

>> I just am not very familiar with GP's

>>

>> Thanks again a million,

>> joe

>>

>>

>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote

>> in message

>> news:Xns9A1592839F598veranoesthemutforsse@207.46.248.16...

>>> You can define the Starting Application in several ways.

>>> Easiest is to do this in a Group Policy. You'll find the

>>> setting here:

>>>

>>> User Configuration - Administrative templates - Windows

>>> Components - Terminal Services

>>> "Start a program on connection"

>>>

>>> Since this is a User Configuration setting, you'll also need to

>>> configure loopback processing of the GPO:

>>>

>>> Computer Configuration - Administrative Templates - System -

>>> Group Policy

>>> "User Group Policy loopback processing mode" - "Replace"

>>>

>>> And then use security filtering of the GPO to make sure that it

>>> doesn't apply to Administrators:

>>>

>>> 816100 - How To Prevent Domain Group Policies from Applying to

>>> Administrator Accounts and Selected Users in Windows Server

>>> 2003 http://support.microsoft.com/?kbid=816100

>>> _________________________________________________________

>>> Vera Noest

>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>> TS troubleshooting: http://ts.veranoest.net

>>> ___ please respond in newsgroup, NOT by private email ___

>>>

>>> "Joe Letter" <nojunk@nojunk.com> wrote on 29 dec 2007 in

>>> microsoft.public.windows.terminal_services:

>>>

>>>> Hello,

>>>> I have a win2k3 server setup as a terminal server.

>>>> I have one

>>>> application I would like the users to have access to. I've

>>>> heard that it is possible to restrict TS so that an

>>>> application starts automatically when the users login. They

>>>> only have access to that program during the session and if

>>>> they close the program, the TS session ends. How can this

>>>> be done? Is there something step-by-step I could follow?

>>>> Also, how can the be done so that I can still login remotely

>>>> with the admin account and not have this restriction on my

>>>> account.

>>>>

>>>>

>>>> Thanks much!

>>>> Joe.

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Restrict to 1 program

 

No, you can't apply GPOs to the local policy.

You can link a GPO to a site, or a domain, or an OU, and it will be

applied to the objects in that site, domain, or OU (in that order).

GPOs defined this way will always override the local policy (which

comes last in the hierarchy). So the local policy settings will

only be effective in the absence of a GPO (or a setting of

"Undefined" in the GPO).

 

Yes, you can connect with mstsc / console and the initial program

will not run. Just tested with notepad.exe as initial program

defined in the Environment tab of tscc.msc, and it doesn't run in

the console session, but does in all normal sessions.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"Joe Letter" <nojunk@nojunk.com> wrote on 07 jan 2008 in

microsoft.public.windows.terminal_services:

> Vera,

> Wow, great . Thanks for the info. I will look into

> learning more

> about gpo's. I think I read somewhere on my last google search

> that you can just apply a gpo to the local security policy on a

> ts server... I might look back at that. Thanks again for all

> the advice.

>

> If I were to try to change these setting remotely (gpo changes

> maybe too) and I lock myself out, I can always do a mstsc

> -v:servername /console to get in right?

>

> Thanks a ton!

> -Joe.

>

>

> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote

> in message

> news:Xns9A1BE08D3752Averanoesthemutforsse@207.46.248.16...

>> 1. Yes.

>> 2. Depends on to which OU you link the GPO. You would link this

>> GPO to the OU which contains the TS account, so that it would

>> only apply to the TS. But let's forget about GPOs for now.

>> 3. Sure. On the Terminal Server, go to Start menu -

>> Administrative tools - Terminal Server Configuration -

>> double-click rdp-tcp connection - it's in one of the tabs

>> there, I believe it's called session settings, but can't check

>> at the moment. The disadvantage with doing it on the server

>> itself is that it will apply to everyone, and that includes

>> Administrators. With GPO's you can use security filtering to

>> only apply such settings to specific user groups. The only way

>> for you as Administrator to connect to the server and not run

>> the starting application is when you connect to the console

>> session, with mstc 7console. But that leaves you with just one

>> session. If that gets disconnected and you can't reconnect,

>> you're out of luck. 4. Try to find some time to read up on

>> GPO's! It will save you time in the long run, and you will be

>> able to do things that you can't do properly in any other way.

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> "Joe Letter" <nojunk@nojunk.com> wrote on 04 jan 2008 in

>> microsoft.public.windows.terminal_services:

>>

>>> Thanks for your help.

>>>

>>> I have a few followup questions:

>>>

>>> 1. Will this have the affect of only 1 program opening and ts

>>> automatically quitting if they close that app?

>>> 2. will this apply to the domain or just the one server? I

>>> would want it to apply to just the one server.

>>> 3. If I didn't want to use a group policy, is there another

>>> way?

>>> I just am not very familiar with GP's

>>>

>>> Thanks again a million,

>>> joe

>>>

>>>

>>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>

>>> wrote in message

>>> news:Xns9A1592839F598veranoesthemutforsse@207.46.248.16...

>>>> You can define the Starting Application in several ways.

>>>> Easiest is to do this in a Group Policy. You'll find the

>>>> setting here:

>>>>

>>>> User Configuration - Administrative templates - Windows

>>>> Components - Terminal Services

>>>> "Start a program on connection"

>>>>

>>>> Since this is a User Configuration setting, you'll also need

>>>> to configure loopback processing of the GPO:

>>>>

>>>> Computer Configuration - Administrative Templates - System -

>>>> Group Policy

>>>> "User Group Policy loopback processing mode" - "Replace"

>>>>

>>>> And then use security filtering of the GPO to make sure that

>>>> it doesn't apply to Administrators:

>>>>

>>>> 816100 - How To Prevent Domain Group Policies from Applying

>>>> to Administrator Accounts and Selected Users in Windows

>>>> Server 2003 http://support.microsoft.com/?kbid=816100

>>>> _________________________________________________________

>>>> Vera Noest

>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>> TS troubleshooting: http://ts.veranoest.net

>>>> ___ please respond in newsgroup, NOT by private email ___

>>>>

>>>> "Joe Letter" <nojunk@nojunk.com> wrote on 29 dec 2007 in

>>>> microsoft.public.windows.terminal_services:

>>>>

>>>>> Hello,

>>>>> I have a win2k3 server setup as a terminal

>>>>> server. I have one

>>>>> application I would like the users to have access to. I've

>>>>> heard that it is possible to restrict TS so that an

>>>>> application starts automatically when the users login. They

>>>>> only have access to that program during the session and if

>>>>> they close the program, the TS session ends. How can

>>>>> this be done? Is there something step-by-step I could

>>>>> follow? Also, how can the be done so that I can still login

>>>>> remotely with the admin account and not have this

>>>>> restriction on my account.

>>>>>

>>>>>

>>>>> Thanks much!

>>>>> Joe.

Guest Joe Letter

Guest Joe Letter

Posted
Posted

Re: Restrict to 1 program

 

Vera,

Thanks for being patient with me. I've spent sometime researching

gpo's and am getting to understand them better. Thanks for the info.

 

So, now my question is : Can I create the policy, apply it to the

entire domain, set the filtering to

include termserver and authenticated users, then under delegation check deny

for apply policy for domain admins? Do I need to set the policy change in

the computer configuration or the user configuration, or both? When do I

know to set it in computer or user? Can I just set it in both if I am in

doubt? I know you mentioned loopbacking in the first email to me.. that

concept is still foreign at this point to me.. can I get around using it?

 

Thanks!

Joe.

 

 

 

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message

news:Xns9A1EDB4A77433veranoesthemutforsse@207.46.248.16...

> No, you can't apply GPOs to the local policy.

> You can link a GPO to a site, or a domain, or an OU, and it will be

> applied to the objects in that site, domain, or OU (in that order).

> GPOs defined this way will always override the local policy (which

> comes last in the hierarchy). So the local policy settings will

> only be effective in the absence of a GPO (or a setting of

> "Undefined" in the GPO).

>

> Yes, you can connect with mstsc / console and the initial program

> will not run. Just tested with notepad.exe as initial program

> defined in the Environment tab of tscc.msc, and it doesn't run in

> the console session, but does in all normal sessions.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> "Joe Letter" <nojunk@nojunk.com> wrote on 07 jan 2008 in

> microsoft.public.windows.terminal_services:

>

>> Vera,

>> Wow, great . Thanks for the info. I will look into

>> learning more

>> about gpo's. I think I read somewhere on my last google search

>> that you can just apply a gpo to the local security policy on a

>> ts server... I might look back at that. Thanks again for all

>> the advice.

>>

>> If I were to try to change these setting remotely (gpo changes

>> maybe too) and I lock myself out, I can always do a mstsc

>> -v:servername /console to get in right?

>>

>> Thanks a ton!

>> -Joe.

>>

>>

>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote

>> in message

>> news:Xns9A1BE08D3752Averanoesthemutforsse@207.46.248.16...

>>> 1. Yes.

>>> 2. Depends on to which OU you link the GPO. You would link this

>>> GPO to the OU which contains the TS account, so that it would

>>> only apply to the TS. But let's forget about GPOs for now.

>>> 3. Sure. On the Terminal Server, go to Start menu -

>>> Administrative tools - Terminal Server Configuration -

>>> double-click rdp-tcp connection - it's in one of the tabs

>>> there, I believe it's called session settings, but can't check

>>> at the moment. The disadvantage with doing it on the server

>>> itself is that it will apply to everyone, and that includes

>>> Administrators. With GPO's you can use security filtering to

>>> only apply such settings to specific user groups. The only way

>>> for you as Administrator to connect to the server and not run

>>> the starting application is when you connect to the console

>>> session, with mstc 7console. But that leaves you with just one

>>> session. If that gets disconnected and you can't reconnect,

>>> you're out of luck. 4. Try to find some time to read up on

>>> GPO's! It will save you time in the long run, and you will be

>>> able to do things that you can't do properly in any other way.

>>> _________________________________________________________

>>> Vera Noest

>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>> TS troubleshooting: http://ts.veranoest.net

>>> ___ please respond in newsgroup, NOT by private email ___

>>>

>>> "Joe Letter" <nojunk@nojunk.com> wrote on 04 jan 2008 in

>>> microsoft.public.windows.terminal_services:

>>>

>>>> Thanks for your help.

>>>>

>>>> I have a few followup questions:

>>>>

>>>> 1. Will this have the affect of only 1 program opening and ts

>>>> automatically quitting if they close that app?

>>>> 2. will this apply to the domain or just the one server? I

>>>> would want it to apply to just the one server.

>>>> 3. If I didn't want to use a group policy, is there another

>>>> way?

>>>> I just am not very familiar with GP's

>>>>

>>>> Thanks again a million,

>>>> joe

>>>>

>>>>

>>>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>

>>>> wrote in message

>>>> news:Xns9A1592839F598veranoesthemutforsse@207.46.248.16...

>>>>> You can define the Starting Application in several ways.

>>>>> Easiest is to do this in a Group Policy. You'll find the

>>>>> setting here:

>>>>>

>>>>> User Configuration - Administrative templates - Windows

>>>>> Components - Terminal Services

>>>>> "Start a program on connection"

>>>>>

>>>>> Since this is a User Configuration setting, you'll also need

>>>>> to configure loopback processing of the GPO:

>>>>>

>>>>> Computer Configuration - Administrative Templates - System -

>>>>> Group Policy

>>>>> "User Group Policy loopback processing mode" - "Replace"

>>>>>

>>>>> And then use security filtering of the GPO to make sure that

>>>>> it doesn't apply to Administrators:

>>>>>

>>>>> 816100 - How To Prevent Domain Group Policies from Applying

>>>>> to Administrator Accounts and Selected Users in Windows

>>>>> Server 2003 http://support.microsoft.com/?kbid=816100

>>>>> _________________________________________________________

>>>>> Vera Noest

>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>> ___ please respond in newsgroup, NOT by private email ___

>>>>>

>>>>> "Joe Letter" <nojunk@nojunk.com> wrote on 29 dec 2007 in

>>>>> microsoft.public.windows.terminal_services:

>>>>>

>>>>>> Hello,

>>>>>> I have a win2k3 server setup as a terminal

>>>>>> server. I have one

>>>>>> application I would like the users to have access to. I've

>>>>>> heard that it is possible to restrict TS so that an

>>>>>> application starts automatically when the users login. They

>>>>>> only have access to that program during the session and if

>>>>>> they close the program, the TS session ends. How can

>>>>>> this be done? Is there something step-by-step I could

>>>>>> follow? Also, how can the be done so that I can still login

>>>>>> remotely with the admin account and not have this

>>>>>> restriction on my account.

>>>>>>

>>>>>>

>>>>>> Thanks much!

>>>>>> Joe.

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Restrict to 1 program

 

No, I would *not* apply the policy to the whole domain.

Create a separate OU, called something like TermServers, move the

Terminal Server computer account in this OU and link the policy to

this OU.

 

Then follow the steps from my first post.

You have to make it a User Configuration setting, because you

cannot filter Computer Configuration settings by user group. Those

settings are applied to the TS, irrespective of who logs on, at

boot time of the server.

 

And because it is a User setting, you *must* use loopbnack

processing.

 

The effect of loopback processing isn't so hard to understand.

With normal policy processing, when a user logs on to a computer

(workstation, or TS), 2 policies are applied: the Computer

Configuration settings from the GPO linked to OU where the computer

is located and the User Configuration settings from the OU where

the user account is located.

So without loopback processing, you would have to define the

starting application in a GPO linked to the Users OU. But then it

would attempt to start even when they logon to the workstation, and

failing to do that, they would be logged off again.

 

To change this normal way of policy processing, you use the

loopback setting. It simply tells the system to apply both the

Computer and the User Configuration settings from the GPO which is

linked to the OU which contains the computer account (the TS

account), irrespective of where the user account is located. That's

the only way to make sure that the GPO is applied to all users of

the TS, and *only* when they logon to the TS.

 

When you are in the GPeditor, don't forget to check the "Explian"

tab for every setting that you would like to configure. It contains

very useful information about what happens when you configure a

setting.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"Joe Letter" <nojunk@nojunk.com> wrote on 09 jan 2008 in

microsoft.public.windows.terminal_services:

> Vera,

> Thanks for being patient with me. I've spent sometime

> researching

> gpo's and am getting to understand them better. Thanks for the

> info.

>

> So, now my question is : Can I create the policy, apply

> it to the

> entire domain, set the filtering to

> include termserver and authenticated users, then under

> delegation check deny for apply policy for domain admins? Do I

> need to set the policy change in the computer configuration or

> the user configuration, or both? When do I know to set it in

> computer or user? Can I just set it in both if I am in doubt?

> I know you mentioned loopbacking in the first email to me.. that

> concept is still foreign at this point to me.. can I get around

> using it?

>

> Thanks!

> Joe.

>

>

>

> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote

> in message

> news:Xns9A1EDB4A77433veranoesthemutforsse@207.46.248.16...

>> No, you can't apply GPOs to the local policy.

>> You can link a GPO to a site, or a domain, or an OU, and it

>> will be applied to the objects in that site, domain, or OU (in

>> that order). GPOs defined this way will always override the

>> local policy (which comes last in the hierarchy). So the local

>> policy settings will only be effective in the absence of a GPO

>> (or a setting of "Undefined" in the GPO).

>>

>> Yes, you can connect with mstsc / console and the initial

>> program will not run. Just tested with notepad.exe as initial

>> program defined in the Environment tab of tscc.msc, and it

>> doesn't run in the console session, but does in all normal

>> sessions.

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> "Joe Letter" <nojunk@nojunk.com> wrote on 07 jan 2008 in

>> microsoft.public.windows.terminal_services:

>>

>>> Vera,

>>> Wow, great . Thanks for the info. I will look into

>>> learning more

>>> about gpo's. I think I read somewhere on my last google

>>> search that you can just apply a gpo to the local security

>>> policy on a ts server... I might look back at that. Thanks

>>> again for all the advice.

>>>

>>> If I were to try to change these setting remotely (gpo changes

>>> maybe too) and I lock myself out, I can always do a mstsc

>>> -v:servername /console to get in right?

>>>

>>> Thanks a ton!

>>> -Joe.

>>>

>>>

>>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>

>>> wrote in message

>>> news:Xns9A1BE08D3752Averanoesthemutforsse@207.46.248.16...

>>>> 1. Yes.

>>>> 2. Depends on to which OU you link the GPO. You would link

>>>> this GPO to the OU which contains the TS account, so that it

>>>> would only apply to the TS. But let's forget about GPOs for

>>>> now. 3. Sure. On the Terminal Server, go to Start menu -

>>>> Administrative tools - Terminal Server Configuration -

>>>> double-click rdp-tcp connection - it's in one of the tabs

>>>> there, I believe it's called session settings, but can't

>>>> check at the moment. The disadvantage with doing it on the

>>>> server itself is that it will apply to everyone, and that

>>>> includes Administrators. With GPO's you can use security

>>>> filtering to only apply such settings to specific user

>>>> groups. The only way for you as Administrator to connect to

>>>> the server and not run the starting application is when you

>>>> connect to the console session, with mstc 7console. But that

>>>> leaves you with just one session. If that gets disconnected

>>>> and you can't reconnect, you're out of luck. 4. Try to find

>>>> some time to read up on GPO's! It will save you time in the

>>>> long run, and you will be able to do things that you can't do

>>>> properly in any other way.

>>>> _________________________________________________________

>>>> Vera Noest

>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>> TS troubleshooting: http://ts.veranoest.net

>>>> ___ please respond in newsgroup, NOT by private email ___

>>>>

>>>> "Joe Letter" <nojunk@nojunk.com> wrote on 04 jan 2008 in

>>>> microsoft.public.windows.terminal_services:

>>>>

>>>>> Thanks for your help.

>>>>>

>>>>> I have a few followup questions:

>>>>>

>>>>> 1. Will this have the affect of only 1 program opening and

>>>>> ts automatically quitting if they close that app?

>>>>> 2. will this apply to the domain or just the one server? I

>>>>> would want it to apply to just the one server.

>>>>> 3. If I didn't want to use a group policy, is there another

>>>>> way?

>>>>> I just am not very familiar with GP's

>>>>>

>>>>> Thanks again a million,

>>>>> joe

>>>>>

>>>>>

>>>>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>

>>>>> wrote in message

>>>>> news:Xns9A1592839F598veranoesthemutforsse@207.46.248.16...

>>>>>> You can define the Starting Application in several ways.

>>>>>> Easiest is to do this in a Group Policy. You'll find the

>>>>>> setting here:

>>>>>>

>>>>>> User Configuration - Administrative templates - Windows

>>>>>> Components - Terminal Services

>>>>>> "Start a program on connection"

>>>>>>

>>>>>> Since this is a User Configuration setting, you'll also

>>>>>> need to configure loopback processing of the GPO:

>>>>>>

>>>>>> Computer Configuration - Administrative Templates - System

>>>>>> - Group Policy

>>>>>> "User Group Policy loopback processing mode" - "Replace"

>>>>>>

>>>>>> And then use security filtering of the GPO to make sure

>>>>>> that it doesn't apply to Administrators:

>>>>>>

>>>>>> 816100 - How To Prevent Domain Group Policies from Applying

>>>>>> to Administrator Accounts and Selected Users in Windows

>>>>>> Server 2003 http://support.microsoft.com/?kbid=816100

>>>>>> _________________________________________________________

>>>>>> Vera Noest

>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>>> ___ please respond in newsgroup, NOT by private email ___

>>>>>>

>>>>>> "Joe Letter" <nojunk@nojunk.com> wrote on 29 dec 2007 in

>>>>>> microsoft.public.windows.terminal_services:

>>>>>>

>>>>>>> Hello,

>>>>>>> I have a win2k3 server setup as a terminal

>>>>>>> server. I have one

>>>>>>> application I would like the users to have access to.

>>>>>>> I've heard that it is possible to restrict TS so that an

>>>>>>> application starts automatically when the users login.

>>>>>>> They only have access to that program during the session

>>>>>>> and if they close the program, the TS session ends.

>>>>>>> How can this be done? Is there something step-by-step I

>>>>>>> could follow? Also, how can the be done so that I can

>>>>>>> still login remotely with the admin account and not have

>>>>>>> this restriction on my account.

>>>>>>>

>>>>>>>

>>>>>>> Thanks much!

>>>>>>> Joe.

Guest Joe Letter

Guest Joe Letter

Posted
Posted

Re: Restrict to 1 program

 

Vera,

 

Awesome. Thanks very much. I completed the process you outlined

and it works great! I also understand a lot more about GPO thanks to you.

I appreciate all you help.

 

Again Thanks!

Joe.

 

 

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message

news:Xns9A21C456DD8Everanoesthemutforsse@207.46.248.16...

> No, I would *not* apply the policy to the whole domain.

> Create a separate OU, called something like TermServers, move the

> Terminal Server computer account in this OU and link the policy to

> this OU.

>

> Then follow the steps from my first post.

> You have to make it a User Configuration setting, because you

> cannot filter Computer Configuration settings by user group. Those

> settings are applied to the TS, irrespective of who logs on, at

> boot time of the server.

>

> And because it is a User setting, you *must* use loopbnack

> processing.

>

> The effect of loopback processing isn't so hard to understand.

> With normal policy processing, when a user logs on to a computer

> (workstation, or TS), 2 policies are applied: the Computer

> Configuration settings from the GPO linked to OU where the computer

> is located and the User Configuration settings from the OU where

> the user account is located.

> So without loopback processing, you would have to define the

> starting application in a GPO linked to the Users OU. But then it

> would attempt to start even when they logon to the workstation, and

> failing to do that, they would be logged off again.

>

> To change this normal way of policy processing, you use the

> loopback setting. It simply tells the system to apply both the

> Computer and the User Configuration settings from the GPO which is

> linked to the OU which contains the computer account (the TS

> account), irrespective of where the user account is located. That's

> the only way to make sure that the GPO is applied to all users of

> the TS, and *only* when they logon to the TS.

>

> When you are in the GPeditor, don't forget to check the "Explian"

> tab for every setting that you would like to configure. It contains

> very useful information about what happens when you configure a

> setting.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> "Joe Letter" <nojunk@nojunk.com> wrote on 09 jan 2008 in

> microsoft.public.windows.terminal_services:

>

>> Vera,

>> Thanks for being patient with me. I've spent sometime

>> researching

>> gpo's and am getting to understand them better. Thanks for the

>> info.

>>

>> So, now my question is : Can I create the policy, apply

>> it to the

>> entire domain, set the filtering to

>> include termserver and authenticated users, then under

>> delegation check deny for apply policy for domain admins? Do I

>> need to set the policy change in the computer configuration or

>> the user configuration, or both? When do I know to set it in

>> computer or user? Can I just set it in both if I am in doubt?

>> I know you mentioned loopbacking in the first email to me.. that

>> concept is still foreign at this point to me.. can I get around

>> using it?

>>

>> Thanks!

>> Joe.

>>

>>

>>

>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote

>> in message

>> news:Xns9A1EDB4A77433veranoesthemutforsse@207.46.248.16...

>>> No, you can't apply GPOs to the local policy.

>>> You can link a GPO to a site, or a domain, or an OU, and it

>>> will be applied to the objects in that site, domain, or OU (in

>>> that order). GPOs defined this way will always override the

>>> local policy (which comes last in the hierarchy). So the local

>>> policy settings will only be effective in the absence of a GPO

>>> (or a setting of "Undefined" in the GPO).

>>>

>>> Yes, you can connect with mstsc / console and the initial

>>> program will not run. Just tested with notepad.exe as initial

>>> program defined in the Environment tab of tscc.msc, and it

>>> doesn't run in the console session, but does in all normal

>>> sessions.

>>>

>>> _________________________________________________________

>>> Vera Noest

>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>> TS troubleshooting: http://ts.veranoest.net

>>> ___ please respond in newsgroup, NOT by private email ___

>>>

>>> "Joe Letter" <nojunk@nojunk.com> wrote on 07 jan 2008 in

>>> microsoft.public.windows.terminal_services:

>>>

>>>> Vera,

>>>> Wow, great . Thanks for the info. I will look into

>>>> learning more

>>>> about gpo's. I think I read somewhere on my last google

>>>> search that you can just apply a gpo to the local security

>>>> policy on a ts server... I might look back at that. Thanks

>>>> again for all the advice.

>>>>

>>>> If I were to try to change these setting remotely (gpo changes

>>>> maybe too) and I lock myself out, I can always do a mstsc

>>>> -v:servername /console to get in right?

>>>>

>>>> Thanks a ton!

>>>> -Joe.

>>>>

>>>>

>>>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>

>>>> wrote in message

>>>> news:Xns9A1BE08D3752Averanoesthemutforsse@207.46.248.16...

>>>>> 1. Yes.

>>>>> 2. Depends on to which OU you link the GPO. You would link

>>>>> this GPO to the OU which contains the TS account, so that it

>>>>> would only apply to the TS. But let's forget about GPOs for

>>>>> now. 3. Sure. On the Terminal Server, go to Start menu -

>>>>> Administrative tools - Terminal Server Configuration -

>>>>> double-click rdp-tcp connection - it's in one of the tabs

>>>>> there, I believe it's called session settings, but can't

>>>>> check at the moment. The disadvantage with doing it on the

>>>>> server itself is that it will apply to everyone, and that

>>>>> includes Administrators. With GPO's you can use security

>>>>> filtering to only apply such settings to specific user

>>>>> groups. The only way for you as Administrator to connect to

>>>>> the server and not run the starting application is when you

>>>>> connect to the console session, with mstc 7console. But that

>>>>> leaves you with just one session. If that gets disconnected

>>>>> and you can't reconnect, you're out of luck. 4. Try to find

>>>>> some time to read up on GPO's! It will save you time in the

>>>>> long run, and you will be able to do things that you can't do

>>>>> properly in any other way.

>>>>> _________________________________________________________

>>>>> Vera Noest

>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>> ___ please respond in newsgroup, NOT by private email ___

>>>>>

>>>>> "Joe Letter" <nojunk@nojunk.com> wrote on 04 jan 2008 in

>>>>> microsoft.public.windows.terminal_services:

>>>>>

>>>>>> Thanks for your help.

>>>>>>

>>>>>> I have a few followup questions:

>>>>>>

>>>>>> 1. Will this have the affect of only 1 program opening and

>>>>>> ts automatically quitting if they close that app?

>>>>>> 2. will this apply to the domain or just the one server? I

>>>>>> would want it to apply to just the one server.

>>>>>> 3. If I didn't want to use a group policy, is there another

>>>>>> way?

>>>>>> I just am not very familiar with GP's

>>>>>>

>>>>>> Thanks again a million,

>>>>>> joe

>>>>>>

>>>>>>

>>>>>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>

>>>>>> wrote in message

>>>>>> news:Xns9A1592839F598veranoesthemutforsse@207.46.248.16...

>>>>>>> You can define the Starting Application in several ways.

>>>>>>> Easiest is to do this in a Group Policy. You'll find the

>>>>>>> setting here:

>>>>>>>

>>>>>>> User Configuration - Administrative templates - Windows

>>>>>>> Components - Terminal Services

>>>>>>> "Start a program on connection"

>>>>>>>

>>>>>>> Since this is a User Configuration setting, you'll also

>>>>>>> need to configure loopback processing of the GPO:

>>>>>>>

>>>>>>> Computer Configuration - Administrative Templates - System

>>>>>>> - Group Policy

>>>>>>> "User Group Policy loopback processing mode" - "Replace"

>>>>>>>

>>>>>>> And then use security filtering of the GPO to make sure

>>>>>>> that it doesn't apply to Administrators:

>>>>>>>

>>>>>>> 816100 - How To Prevent Domain Group Policies from Applying

>>>>>>> to Administrator Accounts and Selected Users in Windows

>>>>>>> Server 2003 http://support.microsoft.com/?kbid=816100

>>>>>>> _________________________________________________________

>>>>>>> Vera Noest

>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>>>> ___ please respond in newsgroup, NOT by private email ___

>>>>>>>

>>>>>>> "Joe Letter" <nojunk@nojunk.com> wrote on 29 dec 2007 in

>>>>>>> microsoft.public.windows.terminal_services:

>>>>>>>

>>>>>>>> Hello,

>>>>>>>> I have a win2k3 server setup as a terminal

>>>>>>>> server. I have one

>>>>>>>> application I would like the users to have access to.

>>>>>>>> I've heard that it is possible to restrict TS so that an

>>>>>>>> application starts automatically when the users login.

>>>>>>>> They only have access to that program during the session

>>>>>>>> and if they close the program, the TS session ends.

>>>>>>>> How can this be done? Is there something step-by-step I

>>>>>>>> could follow? Also, how can the be done so that I can

>>>>>>>> still login remotely with the admin account and not have

>>>>>>>> this restriction on my account.

>>>>>>>>

>>>>>>>>

>>>>>>>> Thanks much!

>>>>>>>> Joe.

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Restrict to 1 program

 

You're welcome, Joe! I'm glad that my solution works for you, and

that you got yourselve a crash course on GPOs in the process :-)

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"Joe Letter" <nojunk@nojunk.com> wrote on 11 jan 2008 in

microsoft.public.windows.terminal_services:

> Vera,

>

> Awesome. Thanks very much. I completed the process you

> outlined

> and it works great! I also understand a lot more about GPO

> thanks to you. I appreciate all you help.

>

> Again Thanks!

> Joe.

>

>

> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote

> in message

> news:Xns9A21C456DD8Everanoesthemutforsse@207.46.248.16...

>> No, I would *not* apply the policy to the whole domain.

>> Create a separate OU, called something like TermServers, move

>> the Terminal Server computer account in this OU and link the

>> policy to this OU.

>>

>> Then follow the steps from my first post.

>> You have to make it a User Configuration setting, because you

>> cannot filter Computer Configuration settings by user group.

>> Those settings are applied to the TS, irrespective of who logs

>> on, at boot time of the server.

>>

>> And because it is a User setting, you *must* use loopbnack

>> processing.

>>

>> The effect of loopback processing isn't so hard to understand.

>> With normal policy processing, when a user logs on to a

>> computer (workstation, or TS), 2 policies are applied: the

>> Computer Configuration settings from the GPO linked to OU where

>> the computer is located and the User Configuration settings

>> from the OU where the user account is located.

>> So without loopback processing, you would have to define the

>> starting application in a GPO linked to the Users OU. But then

>> it would attempt to start even when they logon to the

>> workstation, and failing to do that, they would be logged off

>> again.

>>

>> To change this normal way of policy processing, you use the

>> loopback setting. It simply tells the system to apply both the

>> Computer and the User Configuration settings from the GPO which

>> is linked to the OU which contains the computer account (the TS

>> account), irrespective of where the user account is located.

>> That's the only way to make sure that the GPO is applied to all

>> users of the TS, and *only* when they logon to the TS.

>>

>> When you are in the GPeditor, don't forget to check the

>> "Explian" tab for every setting that you would like to

>> configure. It contains very useful information about what

>> happens when you configure a setting.

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> "Joe Letter" <nojunk@nojunk.com> wrote on 09 jan 2008 in

>> microsoft.public.windows.terminal_services:

>>

>>> Vera,

>>> Thanks for being patient with me. I've spent sometime

>>> researching

>>> gpo's and am getting to understand them better. Thanks for

>>> the info.

>>>

>>> So, now my question is : Can I create the policy,

>>> apply it to the

>>> entire domain, set the filtering to

>>> include termserver and authenticated users, then under

>>> delegation check deny for apply policy for domain admins? Do

>>> I need to set the policy change in the computer configuration

>>> or the user configuration, or both? When do I know to set it

>>> in computer or user? Can I just set it in both if I am in

>>> doubt? I know you mentioned loopbacking in the first email to

>>> me.. that concept is still foreign at this point to me.. can I

>>> get around using it?

>>>

>>> Thanks!

>>> Joe.

>>>

>>>

>>>

>>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>

>>> wrote in message

>>> news:Xns9A1EDB4A77433veranoesthemutforsse@207.46.248.16...

>>>> No, you can't apply GPOs to the local policy.

>>>> You can link a GPO to a site, or a domain, or an OU, and it

>>>> will be applied to the objects in that site, domain, or OU

>>>> (in that order). GPOs defined this way will always override

>>>> the local policy (which comes last in the hierarchy). So the

>>>> local policy settings will only be effective in the absence

>>>> of a GPO (or a setting of "Undefined" in the GPO).

>>>>

>>>> Yes, you can connect with mstsc / console and the initial

>>>> program will not run. Just tested with notepad.exe as initial

>>>> program defined in the Environment tab of tscc.msc, and it

>>>> doesn't run in the console session, but does in all normal

>>>> sessions.

>>>>

>>>> _________________________________________________________

>>>> Vera Noest

>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>> TS troubleshooting: http://ts.veranoest.net

>>>> ___ please respond in newsgroup, NOT by private email ___

>>>>

>>>> "Joe Letter" <nojunk@nojunk.com> wrote on 07 jan 2008 in

>>>> microsoft.public.windows.terminal_services:

>>>>

>>>>> Vera,

>>>>> Wow, great . Thanks for the info. I will look into

>>>>> learning more

>>>>> about gpo's. I think I read somewhere on my last google

>>>>> search that you can just apply a gpo to the local security

>>>>> policy on a ts server... I might look back at that.

>>>>> Thanks again for all the advice.

>>>>>

>>>>> If I were to try to change these setting remotely (gpo

>>>>> changes maybe too) and I lock myself out, I can always do a

>>>>> mstsc -v:servername /console to get in right?

>>>>>

>>>>> Thanks a ton!

>>>>> -Joe.

>>>>>

>>>>>

>>>>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>

>>>>> wrote in message

>>>>> news:Xns9A1BE08D3752Averanoesthemutforsse@207.46.248.16...

>>>>>> 1. Yes.

>>>>>> 2. Depends on to which OU you link the GPO. You would link

>>>>>> this GPO to the OU which contains the TS account, so that

>>>>>> it would only apply to the TS. But let's forget about GPOs

>>>>>> for now. 3. Sure. On the Terminal Server, go to Start menu

>>>>>> - Administrative tools - Terminal Server Configuration -

>>>>>> double-click rdp-tcp connection - it's in one of the tabs

>>>>>> there, I believe it's called session settings, but can't

>>>>>> check at the moment. The disadvantage with doing it on the

>>>>>> server itself is that it will apply to everyone, and that

>>>>>> includes Administrators. With GPO's you can use security

>>>>>> filtering to only apply such settings to specific user

>>>>>> groups. The only way for you as Administrator to connect to

>>>>>> the server and not run the starting application is when you

>>>>>> connect to the console session, with mstc 7console. But

>>>>>> that leaves you with just one session. If that gets

>>>>>> disconnected and you can't reconnect, you're out of luck.

>>>>>> 4. Try to find some time to read up on GPO's! It will save

>>>>>> you time in the long run, and you will be able to do things

>>>>>> that you can't do properly in any other way.

>>>>>> _________________________________________________________

>>>>>> Vera Noest

>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>>> ___ please respond in newsgroup, NOT by private email ___

>>>>>>

>>>>>> "Joe Letter" <nojunk@nojunk.com> wrote on 04 jan 2008 in

>>>>>> microsoft.public.windows.terminal_services:

>>>>>>

>>>>>>> Thanks for your help.

>>>>>>>

>>>>>>> I have a few followup questions:

>>>>>>>

>>>>>>> 1. Will this have the affect of only 1 program opening and

>>>>>>> ts automatically quitting if they close that app?

>>>>>>> 2. will this apply to the domain or just the one server? I

>>>>>>> would want it to apply to just the one server.

>>>>>>> 3. If I didn't want to use a group policy, is there

>>>>>>> another way?

>>>>>>> I just am not very familiar with GP's

>>>>>>>

>>>>>>> Thanks again a million,

>>>>>>> joe

>>>>>>>

>>>>>>>

>>>>>>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>

>>>>>>> wrote in message

>>>>>>> news:Xns9A1592839F598veranoesthemutforsse@207.46.248.16...

>>>>>>>> You can define the Starting Application in several ways.

>>>>>>>> Easiest is to do this in a Group Policy. You'll find the

>>>>>>>> setting here:

>>>>>>>>

>>>>>>>> User Configuration - Administrative templates - Windows

>>>>>>>> Components - Terminal Services

>>>>>>>> "Start a program on connection"

>>>>>>>>

>>>>>>>> Since this is a User Configuration setting, you'll also

>>>>>>>> need to configure loopback processing of the GPO:

>>>>>>>>

>>>>>>>> Computer Configuration - Administrative Templates -

>>>>>>>> System - Group Policy

>>>>>>>> "User Group Policy loopback processing mode" - "Replace"

>>>>>>>>

>>>>>>>> And then use security filtering of the GPO to make sure

>>>>>>>> that it doesn't apply to Administrators:

>>>>>>>>

>>>>>>>> 816100 - How To Prevent Domain Group Policies from

>>>>>>>> Applying to Administrator Accounts and Selected Users in

>>>>>>>> Windows Server 2003

>>>>>>>> http://support.microsoft.com/?kbid=816100

>>>>>>>> _________________________________________________________

>>>>>>>> Vera Noest

>>>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>>>>>> TS troubleshooting: http://ts.veranoest.net

>>>>>>>> ___ please respond in newsgroup, NOT by private email ___

>>>>>>>>

>>>>>>>> "Joe Letter" <nojunk@nojunk.com> wrote on 29 dec 2007 in

>>>>>>>> microsoft.public.windows.terminal_services:

>>>>>>>>

>>>>>>>>> Hello,

>>>>>>>>> I have a win2k3 server setup as a terminal

>>>>>>>>> server. I have one

>>>>>>>>> application I would like the users to have access to.

>>>>>>>>> I've heard that it is possible to restrict TS so that an

>>>>>>>>> application starts automatically when the users login.

>>>>>>>>> They only have access to that program during the session

>>>>>>>>> and if they close the program, the TS session ends.

>>>>>>>>> How can this be done? Is there something step-by-step I

>>>>>>>>> could follow? Also, how can the be done so that I can

>>>>>>>>> still login remotely with the admin account and not have

>>>>>>>>> this restriction on my account.

>>>>>>>>>

>>>>>>>>>

>>>>>>>>> Thanks much!

>>>>>>>>> Joe.

 Share
Go to topic listing
×
×
  • Create New...