Jump to content

2008 Questions

Guest Rob

By Guest Rob
in Windows NT Server

 Share

Recommended Posts

Guest Rob

Guest Rob

Posted
Posted

I have a couple of questions:

 

1. I would like to set up an auto login link for terminal services. I have

an app that I want to run but have the server locked down so that only the

app can be run. I know I can set it up in TS Configuration but it prevents me

from logging in under my own credentials for admin purposes. Is there another

way I can set it up? I've also tried saving the credentials in the link but

it doesn't stick. I would love to use RemoteApp but it just isn't feasible at

this time.

 

2. When logging in with the restricted user, the various 2008 splash screens

come up. Is there a way to eliminate them?

  • Replies 8
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: 2008 Questions

 

Define the application as the starting application in a Group

Policy, configure loopback processing of the GPO, and then make

sure that Administrators are not affected by the application, by

using security filtering.

 

User Computer Configuration - Administrative templates - Windows

Components - Terminal Services

"Start a program on connection"

 

Computer Configuration - Administrative Templates - System - Group

Policy

"User Group Policy loopback processing mode" - "Replace"

 

231287 - Loopback Processing of Group Policy

http://support.microsoft.com/?kbid=231287

 

816100 - How To Prevent Domain Group Policies from Applying to

Administrator Accounts and Selected Users in Windows Server 2003

http://support.microsoft.com/?kbid=816100

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28 apr

2008 in microsoft.public.windows.terminal_services:

> I have a couple of questions:

>

> 1. I would like to set up an auto login link for terminal

> services. I have an app that I want to run but have the server

> locked down so that only the app can be run. I know I can set it

> up in TS Configuration but it prevents me from logging in under

> my own credentials for admin purposes. Is there another way I

> can set it up? I've also tried saving the credentials in the

> link but it doesn't stick. I would love to use RemoteApp but it

> just isn't feasible at this time.

>

> 2. When logging in with the restricted user, the various 2008

> splash screens come up. Is there a way to eliminate them?

Guest Rob

Guest Rob

Posted
Posted

Re: 2008 Questions

 

Will this prevent the taskbar from showing? There are other potential apps

the users might be using and we want them to be able to see the taskbar.

 

"Vera Noest [MVP]" wrote:

> Define the application as the starting application in a Group

> Policy, configure loopback processing of the GPO, and then make

> sure that Administrators are not affected by the application, by

> using security filtering.

>

> User Computer Configuration - Administrative templates - Windows

> Components - Terminal Services

> "Start a program on connection"

>

> Computer Configuration - Administrative Templates - System - Group

> Policy

> "User Group Policy loopback processing mode" - "Replace"

>

> 231287 - Loopback Processing of Group Policy

> http://support.microsoft.com/?kbid=231287

>

> 816100 - How To Prevent Domain Group Policies from Applying to

> Administrator Accounts and Selected Users in Windows Server 2003

> http://support.microsoft.com/?kbid=816100

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28 apr

> 2008 in microsoft.public.windows.terminal_services:

>

> > I have a couple of questions:

> >

> > 1. I would like to set up an auto login link for terminal

> > services. I have an app that I want to run but have the server

> > locked down so that only the app can be run. I know I can set it

> > up in TS Configuration but it prevents me from logging in under

> > my own credentials for admin purposes. Is there another way I

> > can set it up? I've also tried saving the credentials in the

> > link but it doesn't stick. I would love to use RemoteApp but it

> > just isn't feasible at this time.

> >

> > 2. When logging in with the restricted user, the various 2008

> > splash screens come up. Is there a way to eliminate them?

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: 2008 Questions

 

No. You wrote that you wanted the ".. server locked down so that

only the app can be run".

If your users need to run more than a single application, you don't

define a starting application.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28 apr

2008 in microsoft.public.windows.terminal_services:

> Will this prevent the taskbar from showing? There are other

> potential apps the users might be using and we want them to be

> able to see the taskbar.

>

> "Vera Noest [MVP]" wrote:

>

>> Define the application as the starting application in a Group

>> Policy, configure loopback processing of the GPO, and then make

>> sure that Administrators are not affected by the application,

>> by using security filtering.

>>

>> User Computer Configuration - Administrative templates -

>> Windows Components - Terminal Services

>> "Start a program on connection"

>>

>> Computer Configuration - Administrative Templates - System -

>> Group Policy

>> "User Group Policy loopback processing mode" - "Replace"

>>

>> 231287 - Loopback Processing of Group Policy

>> http://support.microsoft.com/?kbid=231287

>>

>> 816100 - How To Prevent Domain Group Policies from Applying to

>> Administrator Accounts and Selected Users in Windows Server

>> 2003 http://support.microsoft.com/?kbid=816100

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28

>> apr 2008 in microsoft.public.windows.terminal_services:

>>

>> > I have a couple of questions:

>> >

>> > 1. I would like to set up an auto login link for terminal

>> > services. I have an app that I want to run but have the

>> > server locked down so that only the app can be run. I know I

>> > can set it up in TS Configuration but it prevents me from

>> > logging in under my own credentials for admin purposes. Is

>> > there another way I can set it up? I've also tried saving the

>> > credentials in the link but it doesn't stick. I would love to

>> > use RemoteApp but it just isn't feasible at this time.

>> >

>> > 2. When logging in with the restricted user, the various 2008

>> > splash screens come up. Is there a way to eliminate them?

Guest Rob

Guest Rob

Posted
Posted

Re: 2008 Questions

 

Let me re-phrase. I want my terminal server locked down so users can't poke

around the server, surf the internet, that kind of thing. There are 3

different applications that they could run. I want users to auto login using

a specific user name but I want to be able to remote in as myself for

administration.

 

"Vera Noest [MVP]" wrote:

> No. You wrote that you wanted the ".. server locked down so that

> only the app can be run".

> If your users need to run more than a single application, you don't

> define a starting application.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28 apr

> 2008 in microsoft.public.windows.terminal_services:

>

> > Will this prevent the taskbar from showing? There are other

> > potential apps the users might be using and we want them to be

> > able to see the taskbar.

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> Define the application as the starting application in a Group

> >> Policy, configure loopback processing of the GPO, and then make

> >> sure that Administrators are not affected by the application,

> >> by using security filtering.

> >>

> >> User Computer Configuration - Administrative templates -

> >> Windows Components - Terminal Services

> >> "Start a program on connection"

> >>

> >> Computer Configuration - Administrative Templates - System -

> >> Group Policy

> >> "User Group Policy loopback processing mode" - "Replace"

> >>

> >> 231287 - Loopback Processing of Group Policy

> >> http://support.microsoft.com/?kbid=231287

> >>

> >> 816100 - How To Prevent Domain Group Policies from Applying to

> >> Administrator Accounts and Selected Users in Windows Server

> >> 2003 http://support.microsoft.com/?kbid=816100

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28

> >> apr 2008 in microsoft.public.windows.terminal_services:

> >>

> >> > I have a couple of questions:

> >> >

> >> > 1. I would like to set up an auto login link for terminal

> >> > services. I have an app that I want to run but have the

> >> > server locked down so that only the app can be run. I know I

> >> > can set it up in TS Configuration but it prevents me from

> >> > logging in under my own credentials for admin purposes. Is

> >> > there another way I can set it up? I've also tried saving the

> >> > credentials in the link but it doesn't stick. I would love to

> >> > use RemoteApp but it just isn't feasible at this time.

> >> >

> >> > 2. When logging in with the restricted user, the various 2008

> >> > splash screens come up. Is there a way to eliminate them?

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: 2008 Questions

 

OK, now I understand what you want.

I would strongly advice against using a single shared user account

for multiple users (=persons). You will encounter corruption of the

user profile, irratic changes in settings, printers, etc. Search

this newsgroup for "shared account" and you'll find a variety of

problems caused by such a setup.

 

And it's not going to give you any advantages either, assuming that

all users already have a personal unique user account in the

domain. You still have to use NTFS permissions and a restrictive

GPO to lock the server down, and that job is no different when

locking down for a single account or all user accounts in a

security group.

 

Here's a good starting point for locking down a TS:

 

Locking Down Windows Server 2003 Terminal Server Sessions

http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdo

wn.mspx

 

324036 - HOW TO: Use Software Restriction Policies in Windows

Server 2003

http://support.microsoft.com/?kbid=324036

 

and then use:

 

816100 - How To Prevent Domain Group Policies from Applying to

Administrator Accounts and Selected Users in Windows Server 2003

http://support.microsoft.com/?kbid=816100

 

to prevent locking down administrators.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 29 apr

2008 in microsoft.public.windows.terminal_services:

> Let me re-phrase. I want my terminal server locked down so users

> can't poke around the server, surf the internet, that kind of

> thing. There are 3 different applications that they could run. I

> want users to auto login using a specific user name but I want

> to be able to remote in as myself for administration.

>

> "Vera Noest [MVP]" wrote:

>

>> No. You wrote that you wanted the ".. server locked down so

>> that only the app can be run".

>> If your users need to run more than a single application, you

>> don't define a starting application.

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28

>> apr 2008 in microsoft.public.windows.terminal_services:

>>

>> > Will this prevent the taskbar from showing? There are other

>> > potential apps the users might be using and we want them to

>> > be able to see the taskbar.

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> Define the application as the starting application in a

>> >> Group Policy, configure loopback processing of the GPO, and

>> >> then make sure that Administrators are not affected by the

>> >> application, by using security filtering.

>> >>

>> >> User Computer Configuration - Administrative templates -

>> >> Windows Components - Terminal Services

>> >> "Start a program on connection"

>> >>

>> >> Computer Configuration - Administrative Templates - System -

>> >> Group Policy

>> >> "User Group Policy loopback processing mode" - "Replace"

>> >>

>> >> 231287 - Loopback Processing of Group Policy

>> >> http://support.microsoft.com/?kbid=231287

>> >>

>> >> 816100 - How To Prevent Domain Group Policies from Applying

>> >> to Administrator Accounts and Selected Users in Windows

>> >> Server 2003 http://support.microsoft.com/?kbid=816100

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28

>> >> apr 2008 in microsoft.public.windows.terminal_services:

>> >>

>> >> > I have a couple of questions:

>> >> >

>> >> > 1. I would like to set up an auto login link for terminal

>> >> > services. I have an app that I want to run but have the

>> >> > server locked down so that only the app can be run. I know

>> >> > I can set it up in TS Configuration but it prevents me

>> >> > from logging in under my own credentials for admin

>> >> > purposes. Is there another way I can set it up? I've also

>> >> > tried saving the credentials in the link but it doesn't

>> >> > stick. I would love to use RemoteApp but it just isn't

>> >> > feasible at this time.

>> >> >

>> >> > 2. When logging in with the restricted user, the various

>> >> > 2008 splash screens come up. Is there a way to eliminate

>> >> > them?

Guest Rob

Guest Rob

Posted
Posted

Re: 2008 Questions

 

I'm not worried about the user profile. I have it locked down to where you

click on teh start button and the only thing that shows is Log Off. I've

disabled the right-click feature. Nobody will be printing. We want the

single share user account because we don't want muliple profiles.

 

Our users are not tech savvy at all. We want the auto login so no one gets

confused or does anything they shouldn't.

 

"Vera Noest [MVP]" wrote:

> OK, now I understand what you want.

> I would strongly advice against using a single shared user account

> for multiple users (=persons). You will encounter corruption of the

> user profile, irratic changes in settings, printers, etc. Search

> this newsgroup for "shared account" and you'll find a variety of

> problems caused by such a setup.

>

> And it's not going to give you any advantages either, assuming that

> all users already have a personal unique user account in the

> domain. You still have to use NTFS permissions and a restrictive

> GPO to lock the server down, and that job is no different when

> locking down for a single account or all user accounts in a

> security group.

>

> Here's a good starting point for locking down a TS:

>

> Locking Down Windows Server 2003 Terminal Server Sessions

> http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdo

> wn.mspx

>

> 324036 - HOW TO: Use Software Restriction Policies in Windows

> Server 2003

> http://support.microsoft.com/?kbid=324036

>

> and then use:

>

> 816100 - How To Prevent Domain Group Policies from Applying to

> Administrator Accounts and Selected Users in Windows Server 2003

> http://support.microsoft.com/?kbid=816100

>

> to prevent locking down administrators.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 29 apr

> 2008 in microsoft.public.windows.terminal_services:

>

> > Let me re-phrase. I want my terminal server locked down so users

> > can't poke around the server, surf the internet, that kind of

> > thing. There are 3 different applications that they could run. I

> > want users to auto login using a specific user name but I want

> > to be able to remote in as myself for administration.

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> No. You wrote that you wanted the ".. server locked down so

> >> that only the app can be run".

> >> If your users need to run more than a single application, you

> >> don't define a starting application.

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28

> >> apr 2008 in microsoft.public.windows.terminal_services:

> >>

> >> > Will this prevent the taskbar from showing? There are other

> >> > potential apps the users might be using and we want them to

> >> > be able to see the taskbar.

> >> >

> >> > "Vera Noest [MVP]" wrote:

> >> >

> >> >> Define the application as the starting application in a

> >> >> Group Policy, configure loopback processing of the GPO, and

> >> >> then make sure that Administrators are not affected by the

> >> >> application, by using security filtering.

> >> >>

> >> >> User Computer Configuration - Administrative templates -

> >> >> Windows Components - Terminal Services

> >> >> "Start a program on connection"

> >> >>

> >> >> Computer Configuration - Administrative Templates - System -

> >> >> Group Policy

> >> >> "User Group Policy loopback processing mode" - "Replace"

> >> >>

> >> >> 231287 - Loopback Processing of Group Policy

> >> >> http://support.microsoft.com/?kbid=231287

> >> >>

> >> >> 816100 - How To Prevent Domain Group Policies from Applying

> >> >> to Administrator Accounts and Selected Users in Windows

> >> >> Server 2003 http://support.microsoft.com/?kbid=816100

> >> >> _________________________________________________________

> >> >> Vera Noest

> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> ___ please respond in newsgroup, NOT by private email ___

> >> >>

> >> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28

> >> >> apr 2008 in microsoft.public.windows.terminal_services:

> >> >>

> >> >> > I have a couple of questions:

> >> >> >

> >> >> > 1. I would like to set up an auto login link for terminal

> >> >> > services. I have an app that I want to run but have the

> >> >> > server locked down so that only the app can be run. I know

> >> >> > I can set it up in TS Configuration but it prevents me

> >> >> > from logging in under my own credentials for admin

> >> >> > purposes. Is there another way I can set it up? I've also

> >> >> > tried saving the credentials in the link but it doesn't

> >> >> > stick. I would love to use RemoteApp but it just isn't

> >> >> > feasible at this time.

> >> >> >

> >> >> > 2. When logging in with the restricted user, the various

> >> >> > 2008 splash screens come up. Is there a way to eliminate

> >> >> > them?

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: 2008 Questions

 

Nonetheless, the profile *will* be corrupted, unless you make it

read-only ( = mandatory).

 

I do not know of a method to enforce logon to the TS with a pre-

defined user account, other than in Terminal Services

Configuration. And that will apply to Administrators as well.

 

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 29 apr

2008 in microsoft.public.windows.terminal_services:

> I'm not worried about the user profile. I have it locked down to

> where you click on teh start button and the only thing that

> shows is Log Off. I've disabled the right-click feature. Nobody

> will be printing. We want the single share user account because

> we don't want muliple profiles.

>

> Our users are not tech savvy at all. We want the auto login so

> no one gets confused or does anything they shouldn't.

>

> "Vera Noest [MVP]" wrote:

>

>> OK, now I understand what you want.

>> I would strongly advice against using a single shared user

>> account for multiple users (=persons). You will encounter

>> corruption of the user profile, irratic changes in settings,

>> printers, etc. Search this newsgroup for "shared account" and

>> you'll find a variety of problems caused by such a setup.

>>

>> And it's not going to give you any advantages either, assuming

>> that all users already have a personal unique user account in

>> the domain. You still have to use NTFS permissions and a

>> restrictive GPO to lock the server down, and that job is no

>> different when locking down for a single account or all user

>> accounts in a security group.

>>

>> Here's a good starting point for locking down a TS:

>>

>> Locking Down Windows Server 2003 Terminal Server Sessions

>> http://www.microsoft.com/windowsserver2003/techinfo/overview/loc

>> kdo wn.mspx

>>

>> 324036 - HOW TO: Use Software Restriction Policies in Windows

>> Server 2003

>> http://support.microsoft.com/?kbid=324036

>>

>> and then use:

>>

>> 816100 - How To Prevent Domain Group Policies from Applying to

>> Administrator Accounts and Selected Users in Windows Server

>> 2003 http://support.microsoft.com/?kbid=816100

>>

>> to prevent locking down administrators.

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 29

>> apr 2008 in microsoft.public.windows.terminal_services:

>>

>> > Let me re-phrase. I want my terminal server locked down so

>> > users can't poke around the server, surf the internet, that

>> > kind of thing. There are 3 different applications that they

>> > could run. I want users to auto login using a specific user

>> > name but I want to be able to remote in as myself for

>> > administration.

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> No. You wrote that you wanted the ".. server locked down so

>> >> that only the app can be run".

>> >> If your users need to run more than a single application,

>> >> you don't define a starting application.

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28

>> >> apr 2008 in microsoft.public.windows.terminal_services:

>> >>

>> >> > Will this prevent the taskbar from showing? There are

>> >> > other potential apps the users might be using and we want

>> >> > them to be able to see the taskbar.

>> >> >

>> >> > "Vera Noest [MVP]" wrote:

>> >> >

>> >> >> Define the application as the starting application in a

>> >> >> Group Policy, configure loopback processing of the GPO,

>> >> >> and then make sure that Administrators are not affected

>> >> >> by the application, by using security filtering.

>> >> >>

>> >> >> User Computer Configuration - Administrative templates -

>> >> >> Windows Components - Terminal Services

>> >> >> "Start a program on connection"

>> >> >>

>> >> >> Computer Configuration - Administrative Templates -

>> >> >> System - Group Policy

>> >> >> "User Group Policy loopback processing mode" - "Replace"

>> >> >>

>> >> >> 231287 - Loopback Processing of Group Policy

>> >> >> http://support.microsoft.com/?kbid=231287

>> >> >>

>> >> >> 816100 - How To Prevent Domain Group Policies from

>> >> >> Applying to Administrator Accounts and Selected Users in

>> >> >> Windows Server 2003

>> >> >> http://support.microsoft.com/?kbid=816100

>> >> >> _________________________________________________________

>> >> >> Vera Noest

>> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> >> TS troubleshooting: http://ts.veranoest.net

>> >> >> ___ please respond in newsgroup, NOT by private email ___

>> >> >>

>> >> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on

>> >> >> 28 apr 2008 in

>> >> >> microsoft.public.windows.terminal_services:

>> >> >>

>> >> >> > I have a couple of questions:

>> >> >> >

>> >> >> > 1. I would like to set up an auto login link for

>> >> >> > terminal services. I have an app that I want to run but

>> >> >> > have the server locked down so that only the app can be

>> >> >> > run. I know I can set it up in TS Configuration but it

>> >> >> > prevents me from logging in under my own credentials

>> >> >> > for admin purposes. Is there another way I can set it

>> >> >> > up? I've also tried saving the credentials in the link

>> >> >> > but it doesn't stick. I would love to use RemoteApp but

>> >> >> > it just isn't feasible at this time.

>> >> >> >

>> >> >> > 2. When logging in with the restricted user, the

>> >> >> > various 2008 splash screens come up. Is there a way to

>> >> >> > eliminate them?

Guest Rob

Guest Rob

Posted
Posted

Re: 2008 Questions

 

Rats!

 

Thanks for your help. I'll just have to figure something else out.

 

"Vera Noest [MVP]" wrote:

> Nonetheless, the profile *will* be corrupted, unless you make it

> read-only ( = mandatory).

>

> I do not know of a method to enforce logon to the TS with a pre-

> defined user account, other than in Terminal Services

> Configuration. And that will apply to Administrators as well.

>

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 29 apr

> 2008 in microsoft.public.windows.terminal_services:

>

> > I'm not worried about the user profile. I have it locked down to

> > where you click on teh start button and the only thing that

> > shows is Log Off. I've disabled the right-click feature. Nobody

> > will be printing. We want the single share user account because

> > we don't want muliple profiles.

> >

> > Our users are not tech savvy at all. We want the auto login so

> > no one gets confused or does anything they shouldn't.

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> OK, now I understand what you want.

> >> I would strongly advice against using a single shared user

> >> account for multiple users (=persons). You will encounter

> >> corruption of the user profile, irratic changes in settings,

> >> printers, etc. Search this newsgroup for "shared account" and

> >> you'll find a variety of problems caused by such a setup.

> >>

> >> And it's not going to give you any advantages either, assuming

> >> that all users already have a personal unique user account in

> >> the domain. You still have to use NTFS permissions and a

> >> restrictive GPO to lock the server down, and that job is no

> >> different when locking down for a single account or all user

> >> accounts in a security group.

> >>

> >> Here's a good starting point for locking down a TS:

> >>

> >> Locking Down Windows Server 2003 Terminal Server Sessions

> >> http://www.microsoft.com/windowsserver2003/techinfo/overview/loc

> >> kdo wn.mspx

> >>

> >> 324036 - HOW TO: Use Software Restriction Policies in Windows

> >> Server 2003

> >> http://support.microsoft.com/?kbid=324036

> >>

> >> and then use:

> >>

> >> 816100 - How To Prevent Domain Group Policies from Applying to

> >> Administrator Accounts and Selected Users in Windows Server

> >> 2003 http://support.microsoft.com/?kbid=816100

> >>

> >> to prevent locking down administrators.

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 29

> >> apr 2008 in microsoft.public.windows.terminal_services:

> >>

> >> > Let me re-phrase. I want my terminal server locked down so

> >> > users can't poke around the server, surf the internet, that

> >> > kind of thing. There are 3 different applications that they

> >> > could run. I want users to auto login using a specific user

> >> > name but I want to be able to remote in as myself for

> >> > administration.

> >> >

> >> > "Vera Noest [MVP]" wrote:

> >> >

> >> >> No. You wrote that you wanted the ".. server locked down so

> >> >> that only the app can be run".

> >> >> If your users need to run more than a single application,

> >> >> you don't define a starting application.

> >> >> _________________________________________________________

> >> >> Vera Noest

> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> ___ please respond in newsgroup, NOT by private email ___

> >> >>

> >> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28

> >> >> apr 2008 in microsoft.public.windows.terminal_services:

> >> >>

> >> >> > Will this prevent the taskbar from showing? There are

> >> >> > other potential apps the users might be using and we want

> >> >> > them to be able to see the taskbar.

> >> >> >

> >> >> > "Vera Noest [MVP]" wrote:

> >> >> >

> >> >> >> Define the application as the starting application in a

> >> >> >> Group Policy, configure loopback processing of the GPO,

> >> >> >> and then make sure that Administrators are not affected

> >> >> >> by the application, by using security filtering.

> >> >> >>

> >> >> >> User Computer Configuration - Administrative templates -

> >> >> >> Windows Components - Terminal Services

> >> >> >> "Start a program on connection"

> >> >> >>

> >> >> >> Computer Configuration - Administrative Templates -

> >> >> >> System - Group Policy

> >> >> >> "User Group Policy loopback processing mode" - "Replace"

> >> >> >>

> >> >> >> 231287 - Loopback Processing of Group Policy

> >> >> >> http://support.microsoft.com/?kbid=231287

> >> >> >>

> >> >> >> 816100 - How To Prevent Domain Group Policies from

> >> >> >> Applying to Administrator Accounts and Selected Users in

> >> >> >> Windows Server 2003

> >> >> >> http://support.microsoft.com/?kbid=816100

> >> >> >> _________________________________________________________

> >> >> >> Vera Noest

> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> >> ___ please respond in newsgroup, NOT by private email ___

> >> >> >>

> >> >> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on

> >> >> >> 28 apr 2008 in

> >> >> >> microsoft.public.windows.terminal_services:

> >> >> >>

> >> >> >> > I have a couple of questions:

> >> >> >> >

> >> >> >> > 1. I would like to set up an auto login link for

> >> >> >> > terminal services. I have an app that I want to run but

> >> >> >> > have the server locked down so that only the app can be

> >> >> >> > run. I know I can set it up in TS Configuration but it

> >> >> >> > prevents me from logging in under my own credentials

> >> >> >> > for admin purposes. Is there another way I can set it

> >> >> >> > up? I've also tried saving the credentials in the link

> >> >> >> > but it doesn't stick. I would love to use RemoteApp but

> >> >> >> > it just isn't feasible at this time.

> >> >> >> >

> >> >> >> > 2. When logging in with the restricted user, the

> >> >> >> > various 2008 splash screens come up. Is there a way to

> >> >> >> > eliminate them?

>

 Share
Go to topic listing
×
×
  • Create New...