Re: Restrict to 1 program

No, I would *not* apply the policy to the whole domain.
Create a separate OU, called something like TermServers, move the
Terminal Server computer account in this OU and link the policy to
this OU.

Then follow the steps from my first post.
You have to make it a User Configuration setting, because you
cannot filter Computer Configuration settings by user group. Those
settings are applied to the TS, irrespective of who logs on, at
boot time of the server.

And because it is a User setting, you *must* use loopbnack
processing.

The effect of loopback processing isn't so hard to understand.
With normal policy processing, when a user logs on to a computer
(workstation, or TS), 2 policies are applied: the Computer
Configuration settings from the GPO linked to OU where the computer
is located and the User Configuration settings from the OU where
the user account is located.
So without loopback processing, you would have to define the
starting application in a GPO linked to the Users OU. But then it
would attempt to start even when they logon to the workstation, and
failing to do that, they would be logged off again.

To change this normal way of policy processing, you use the
loopback setting. It simply tells the system to apply both the
Computer and the User Configuration settings from the GPO which is
linked to the OU which contains the computer account (the TS
account), irrespective of where the user account is located. That's
the only way to make sure that the GPO is applied to all users of
the TS, and *only* when they logon to the TS.

When you are in the GPeditor, don't forget to check the "Explian"
tab for every setting that you would like to configure. It contains
very useful information about what happens when you configure a
setting.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Joe Letter" <nojunk@xxxxxxxxxx> wrote on 09 jan 2008 in
microsoft.public.windows.terminal_services:

Vera,
Thanks for being patient with me. I've spent sometime
researching
gpo's and am getting to understand them better. Thanks for the
info.

So, now my question is : Can I create the policy, apply
it to the
entire domain, set the filtering to
include termserver and authenticated users, then under
delegation check deny for apply policy for domain admins? Do I
need to set the policy change in the computer configuration or
the user configuration, or both? When do I know to set it in
computer or user? Can I just set it in both if I am in doubt?
I know you mentioned loopbacking in the first email to me.. that
concept is still foreign at this point to me.. can I get around
using it?

Thanks!
Joe.



"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message
news:Xns9A1EDB4A77433veranoesthemutforsse@xxxxxxxxxxxxxxxx
No, you can't apply GPOs to the local policy.
You can link a GPO to a site, or a domain, or an OU, and it
will be applied to the objects in that site, domain, or OU (in
that order). GPOs defined this way will always override the
local policy (which comes last in the hierarchy). So the local
policy settings will only be effective in the absence of a GPO
(or a setting of "Undefined" in the GPO).

Yes, you can connect with mstsc / console and the initial
program will not run. Just tested with notepad.exe as initial
program defined in the Environment tab of tscc.msc, and it
doesn't run in the console session, but does in all normal
sessions.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Joe Letter" <nojunk@xxxxxxxxxx> wrote on 07 jan 2008 in
microsoft.public.windows.terminal_services:

Vera,
Wow, great . Thanks for the info. I will look into
learning more
about gpo's. I think I read somewhere on my last google
search that you can just apply a gpo to the local security
policy on a ts server... I might look back at that. Thanks
again for all the advice.

If I were to try to change these setting remotely (gpo changes
maybe too) and I lock myself out, I can always do a mstsc
-v:servername /console to get in right?

Thanks a ton!
-Joe.


"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:Xns9A1BE08D3752Averanoesthemutforsse@xxxxxxxxxxxxxxxx
1. Yes.
2. Depends on to which OU you link the GPO. You would link
this GPO to the OU which contains the TS account, so that it
would only apply to the TS. But let's forget about GPOs for
now. 3. Sure. On the Terminal Server, go to Start menu -
Administrative tools - Terminal Server Configuration -
double-click rdp-tcp connection - it's in one of the tabs
there, I believe it's called session settings, but can't
check at the moment. The disadvantage with doing it on the
server itself is that it will apply to everyone, and that
includes Administrators. With GPO's you can use security
filtering to only apply such settings to specific user
groups. The only way for you as Administrator to connect to
the server and not run the starting application is when you
connect to the console session, with mstc 7console. But that
leaves you with just one session. If that gets disconnected
and you can't reconnect, you're out of luck. 4. Try to find
some time to read up on GPO's! It will save you time in the
long run, and you will be able to do things that you can't do
properly in any other way.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Joe Letter" <nojunk@xxxxxxxxxx> wrote on 04 jan 2008 in
microsoft.public.windows.terminal_services:

Thanks for your help.

I have a few followup questions:

1. Will this have the affect of only 1 program opening and
ts automatically quitting if they close that app?
2. will this apply to the domain or just the one server? I
would want it to apply to just the one server.
3. If I didn't want to use a group policy, is there another
way?
I just am not very familiar with GP's

Thanks again a million,
joe


"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:Xns9A1592839F598veranoesthemutforsse@xxxxxxxxxxxxxxxx
You can define the Starting Application in several ways.
Easiest is to do this in a Group Policy. You'll find the
setting here:

User Configuration - Administrative templates - Windows
Components - Terminal Services
"Start a program on connection"

Since this is a User Configuration setting, you'll also
need to configure loopback processing of the GPO:

Computer Configuration - Administrative Templates - System
- Group Policy
"User Group Policy loopback processing mode" - "Replace"

And then use security filtering of the GPO to make sure
that it doesn't apply to Administrators:

816100 - How To Prevent Domain Group Policies from Applying
to Administrator Accounts and Selected Users in Windows
Server 2003 http://support.microsoft.com/?kbid=816100
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Joe Letter" <nojunk@xxxxxxxxxx> wrote on 29 dec 2007 in
microsoft.public.windows.terminal_services:

Hello,
I have a win2k3 server setup as a terminal
server. I have one
application I would like the users to have access to.
I've heard that it is possible to restrict TS so that an
application starts automatically when the users login.
They only have access to that program during the session
and if they close the program, the TS session ends.
How can this be done? Is there something step-by-step I
could follow? Also, how can the be done so that I can
still login remotely with the admin account and not have
this restriction on my account.


Thanks much!
Joe.
.

Relevant Pages

  • Re: SCW question.
    ... Created a new Server and installed IIS. ... and saw that the default rights for IUSR and IWAM users are there. ... Server to the domain without and GPO's applied...Local Security policy ... rights (which coincides with my Member server GPO settings). ...
    (microsoft.public.windows.server.security)
  • Re: RWW and Remote desktop stopped working on all clients
    ... After diggin through ALL the group policies, I found Remote ... Desktop DISABLED under the Account Lockout policy - I don't think I've even ... adminsitrator or another account with Domain Admin role; also the server ...
    (microsoft.public.windows.server.sbs)
  • Re: Group Policy is now inhibiting the Administrator account
    ... under Group Policy Objects - those are the individual GPOs. ... You can apply any given GPO to one or more OUs, ... I use all of the default security in SBS, ... log on to the server with your own account. ...
    (microsoft.public.windows.server.sbs)
  • Re: User Profiles
    ... You can use Folder redirection for the Start Menu, ... Exactly what icons are you getting from the Default Domain Policy, ... and in which GPO setting are they defined? ... MCSE, CCEA, Microsoft MVP - Terminal Server ...
    (microsoft.public.windows.terminal_services)
  • Re: GPO - Access denied after changing a GP setting
    ... You are about to restore Default Domain policy and Default domain Controller po ... This may render some server applications to fail. ... Unable to open the GPO due to access denied. ... You are about to restore Default Domain controller policy for the following domain ...
    (microsoft.public.windows.server.security)
Loading