Re: How to launch program only for certain group>

You *can* actually create a local policy on a standalone TS and
exclude the Administrator from applying it.

Thanks to TP, who took the trouble to write down all the steps:

From: "TP" <tperson.knowspamn@xxxxxxxxxxxxxxx>
Subject: Re: local policy and terminal server
Date: Wed, 8 Nov 2006 16:59:42 -0500
Newsgroups: microsoft.public.windows.terminal_services

Here are the instructions for a standalone 2003 server:

INITIAL SETUP

This should be done before attempting any changes to
Group Policy settings.

1. Logon as an administrator

2. Open up Computer Management from Administrative
Tools

3. Create a new local group named "GP Editors"

4. Create a new local user named "gpedit". Assign user
a password, and check password never expires. Make
this user a member of the GP Editors group.

5. Open up windows explorer and browse to the following
folder (make sure that view hidden files is enabled):
C:\WINDOWS\system32\GroupPolicy

6. Right-click on the GroupPolicy folder and choose Properties

7. On the Security tab, click the Advanced button

8. Click the Add button, enter GP Editors in the Select User or
Group dialog, and click OK

9. Check Full Control under the Allow column, and click OK

10. Check "Replace permission entries on all child objects with
entries shown here that apply to child objects"

11. Click the Apply button and confirm Yes twice.

12. On the Owner tab, click the Other Users and Groups button,
enter GP Editors, and click OK.

13. Check "Replace owner on subcontainers and objects"

14. Make sure GP Editors is selected in the Change Owner to list.

15. Click the OK button to change the owner, click OK to close
the GroupPolicy Properties

16. Within the GroupPolicy folder, right-click on the Machine
folder, and choose Properties

17. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column

18. Click OK to save the Deny permission you just made, confirm
by answering Yes twice

19. Within the GroupPolicy folder, right-click on the User folder,
and choose Properties

20. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column

21. Click OK to save the Deny permission you just made, confirm
by answering Yes twice

22. Within the GroupPolicy folder, right-click on the gpt.ini file,
and choose Properties

23. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column

24. Click OK to save the Deny permission you just made, confirm
by answering Yes twice

25. Right-click on the desktop and choose New-->Shortcut

26. Enter the following in the location box:
runas /user:gpedit "%windir%\system32\mmc gpedit.msc"

27. Click Next, and enter Edit Group Policy for the name

28. Click Finish

MODIFYING GROUP POLICY SETTINGS

1. Logon using the account you used for the intitial setup

2. Double-click on the Edit Group Policy shortcut

3. Enter the password for the gpedit account

4. Edit the policies as needed

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Justin Brown - SYNACS" <jcbrown@xxxxxxxxx> wrote on 29 jan 2007
in microsoft.public.windows.terminal_services:

Since you don't have Active Directory to help, how about adding
the shortcut to "%allusersprofile%\Start Menu\Programs\Startup"
and then edit the shortcut Properties -> Security tab changing
the permissions to allow "Read and Execute" for only the group
you want. It's imperfect, but might just work.

A) It applies to all sessions, not just TS. Shouldn't be a
problem though if your TS users login *only* via TS.
B) Server would attempt to execute the shortcut on every user
logon, and (after properly adjusting the "Read and Execute"
permission) would fail to load the shortcut for non-members of
that group. Just make sure to remove permission inheritance on
the shortcut, and then uncheck Read and Execute for
Administrator and other accounts.

Maybe?


On Jan 29, 10:54 am, "C17" <c...@xxxxxxxxxxxxxxxx> wrote:
Thanks for the responses everyone!

(1) This particular TS server is not within an AD domain, so
GPMC doesn't apply unfortunately. Seems like a great tool.

(2) I tried putting IfMember into a batch file, as follows:

==================
@REM Launch MyProgram except if Administrator

@"c:\Program Files\Resource Kit\ifmember.exe" Administrators
@if errorlevel 1 GOTO DONE
@REM Notice that the syntax here is the opposite to normal in
that %ERRORLEVEL% = 1 = Success.
@REM With most other commands %ERRORLEVEL% = 1 = Fail/Error
"c:\program files\MyProgram\MyProgram.exe"
:DONE

==================

I then designate this batch file run by using the Group Policy
Editor on the TS Server:
User Configuration/Admin Templates/Windows
Components/Terminal Services,
policy "Start a program on connection". Problem is, for an
Administrator, the
Problem is, TS will terminate the session right after the batch
file runs -- which, in the case of the Administrator,
terminates the session right away (instead of dumping the user
to the desktop)! I guess I should have foreseen this; obvious
in hindsight.

(3) I think I can now sharpen the issue. The TS group policy
to "start a program on connection" has two very desirable
behaviors (in my situation anyway)
a) It does not let the user get to the TS desktop and do
random stuff b) When the user exits the program, the TS
session terminates
automatically
BUT, it seems that (without GPMC), you can't customize these TS
policies by group.
On the other hand, if I just use a standard logon script to
launch my desired program for some users, I don't get (a) and
(b) above.

I thank you for your suggestions so far, and I wonder if you
have any more!

C17

"C17" <c...@xxxxxxxxxxxxxxxx> wrote in
messagenews:1Zvuh.427$M9.118@xxxxxxxxxxxxxxx

Hi all,

Windows 2003 Server TS question. I would like to configure TS
to launch a certain program automatically for all users in a
certain group, but NOT if the administrator (or other
non-group members) connect. I can't figure out how to
accomplish this, can some kind soul point the way?

Thanks!

C17
.