Re: Terminal Services Kiosk

comments inline

=?Utf-8?B?Ri4gRGF2aWQgZGVsIENhbXBvIEhpbGw=?=
<FDaviddelCampoHill@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 21 aug
2007 in microsoft.public.windows.terminal_services:

Jeff,

Your going to have a difficult time at best to lockdown the TS
box so they can't do anything. It's quite possible but
difficult. There are way to many settings to list them off one
by one on how to lock down a server. You can start by using
this (remember you can many of these through local policy as
well):

No, the locked-down account is the Active Directory account in
the desktops, not the local accounts in the TS server. I want
them not to be able to do anything in the desktops apart from
running the RD session;

So you want to turn your clients into software thin clients, is
that correct? Patrick Rouse lists a number of solutions for that,
like SimplyRDP and others:
http://www.sessioncomputing.com/thin-clients.htm

in the TS server they can do what they want: its theirs.

If taken literally, I think that you will notice that this will
render the TS unusable in a short period of time. Even if you don't
lock it down to the full extend, you will still need to limit
users' ability to install software, printer drivers and so on.

Why are you trying to replace the shell?
As I explained, I need an account that will open RD the
moment it logs in and will only show RD on the full screen;
since this is similar to what people do for Internet Explorer
kiosks, I thought to do it similarly. Is there a better way?
yes again, a locked down environment using GPO.

But how? Which GPOs stop users from being able to start other
programs or kill the RD session? Specifics please.

Software Restriction Policies would do this. Only allow mstsc.exe,
restrict all other executables.

No problem at all, you give them the log out button on the
locked down desktop.

No, there is no explorer running: so there will be no local Log
Out button for them to press, no Start menu... no nothing save
the RD session.

In short, I am trying to allow users to use their Windows
desktop as a thin client for a TS server by logging in to a
certain account.
I'm not sure you understand how GPO's work. they can be
applied based on users. So one user logs in to the workstation
they get one set of settings, another user logs in they get
another set.

I know, but what I am looking for is for someone to tell me
which GPOs can be used to stop a user from running anything but
an executable of my choosing, and how to make the termination of
that executable force a log out on the user's session.

Can't help you with the logout problem, I'm afraid. And how are you
going to handle Ctrl-Alt-Del?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
.