Re: Restrict to 1 program
- From: "Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 07 Jan 2008 12:33:25 -0800
No, you can't apply GPOs to the local policy.
You can link a GPO to a site, or a domain, or an OU, and it will be
applied to the objects in that site, domain, or OU (in that order).
GPOs defined this way will always override the local policy (which
comes last in the hierarchy). So the local policy settings will
only be effective in the absence of a GPO (or a setting of
"Undefined" in the GPO).
Yes, you can connect with mstsc / console and the initial program
will not run. Just tested with notepad.exe as initial program
defined in the Environment tab of tscc.msc, and it doesn't run in
the console session, but does in all normal sessions.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
"Joe Letter" <nojunk@xxxxxxxxxx> wrote on 07 jan 2008 in
microsoft.public.windows.terminal_services:
Vera,.
Wow, great . Thanks for the info. I will look into
learning more
about gpo's. I think I read somewhere on my last google search
that you can just apply a gpo to the local security policy on a
ts server... I might look back at that. Thanks again for all
the advice.
If I were to try to change these setting remotely (gpo changes
maybe too) and I lock myself out, I can always do a mstsc
-v:servername /console to get in right?
Thanks a ton!
-Joe.
"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message
news:Xns9A1BE08D3752Averanoesthemutforsse@xxxxxxxxxxxxxxxx
1. Yes.
2. Depends on to which OU you link the GPO. You would link this
GPO to the OU which contains the TS account, so that it would
only apply to the TS. But let's forget about GPOs for now.
3. Sure. On the Terminal Server, go to Start menu -
Administrative tools - Terminal Server Configuration -
double-click rdp-tcp connection - it's in one of the tabs
there, I believe it's called session settings, but can't check
at the moment. The disadvantage with doing it on the server
itself is that it will apply to everyone, and that includes
Administrators. With GPO's you can use security filtering to
only apply such settings to specific user groups. The only way
for you as Administrator to connect to the server and not run
the starting application is when you connect to the console
session, with mstc 7console. But that leaves you with just one
session. If that gets disconnected and you can't reconnect,
you're out of luck. 4. Try to find some time to read up on
GPO's! It will save you time in the long run, and you will be
able to do things that you can't do properly in any other way.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
"Joe Letter" <nojunk@xxxxxxxxxx> wrote on 04 jan 2008 in
microsoft.public.windows.terminal_services:
Thanks for your help.
I have a few followup questions:
1. Will this have the affect of only 1 program opening and ts
automatically quitting if they close that app?
2. will this apply to the domain or just the one server? I
would want it to apply to just the one server.
3. If I didn't want to use a group policy, is there another
way?
I just am not very familiar with GP's
Thanks again a million,
joe
"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:Xns9A1592839F598veranoesthemutforsse@xxxxxxxxxxxxxxxx
You can define the Starting Application in several ways.
Easiest is to do this in a Group Policy. You'll find the
setting here:
User Configuration - Administrative templates - Windows
Components - Terminal Services
"Start a program on connection"
Since this is a User Configuration setting, you'll also need
to configure loopback processing of the GPO:
Computer Configuration - Administrative Templates - System -
Group Policy
"User Group Policy loopback processing mode" - "Replace"
And then use security filtering of the GPO to make sure that
it doesn't apply to Administrators:
816100 - How To Prevent Domain Group Policies from Applying
to Administrator Accounts and Selected Users in Windows
Server 2003 http://support.microsoft.com/?kbid=816100
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
"Joe Letter" <nojunk@xxxxxxxxxx> wrote on 29 dec 2007 in
microsoft.public.windows.terminal_services:
Hello,
I have a win2k3 server setup as a terminal
server. I have one
application I would like the users to have access to. I've
heard that it is possible to restrict TS so that an
application starts automatically when the users login. They
only have access to that program during the session and if
they close the program, the TS session ends. How can
this be done? Is there something step-by-step I could
follow? Also, how can the be done so that I can still login
remotely with the admin account and not have this
restriction on my account.
Thanks much!
Joe.
- Follow-Ups:
- Re: Restrict to 1 program
- From: Joe Letter
- Re: Restrict to 1 program
- References:
- Re: Restrict to 1 program
- From: Joe Letter
- Re: Restrict to 1 program
- From: Vera Noest [MVP]
- Re: Restrict to 1 program
- From: Joe Letter
- Re: Restrict to 1 program
- Prev by Date: Re: Error in Licensing Protocol
- Next by Date: Re: Route all TS users through a proxy
- Previous by thread: Re: Restrict to 1 program
- Next by thread: Re: Restrict to 1 program
- Index(es):
Relevant Pages
|
