Terminal Server 2003 - Restrict Desktop Access

Posted on 2006-05-11
Last Modified: 2009-05-28
I want to restrict a specific group of terminal services users to one application on the desktop and prevent them from accessing the network neightborhood on the machine.  How would I go about applying these restrictions?

Question by:ehilder1
    LVL 3

    Expert Comment

    You can cause the program to be launched when the log onto the machine.  Then when they exit the program, it will log them off (or at least that is how it worked in 2k terminal services, don't have a 2k3 TS server).

    This can be done in Active Directory Users and Computers on the Environment tab (starting Program).
    LVL 3

    Accepted Solution

    LVL 7

    Assisted Solution

    That wont solve the problem if there is any option to open files locally from the application used...pretty much anything that allows any sort of explorer.exe action via office applications or otherwise.

    *read all the way through this post.....

    I have a terminal server setup that basically disallows access to anything that i havent explicitly given permission to - network places being one of them.  i dont remember exactly which policy within GPO it is, however you should start with the term server lockdown guide.  some combination within it will give you exactly what you are looking for:
    might be the "prevent access to drives form my computer" option with "no 'computers near me' in my network places" and "no "entire network' in my network places....

    and actually as i'm writing this i see an option for "remove my network place icon from start menu" as well as "hide my network places icon on desktop".  

    i'm not going to delete the beginning of this post however because those are all probably options you should set.

    LVL 74

    Assisted Solution

    by:Jeffrey Kane - TechSoEasy
    There is a new protocol in Server 2003 SP1 and R2 which will HIDE any drive, folder, or file that a user does not have permission to access.  It's pretty cool and makes a lot of sense for something like this.  It's called Access Based Enumeration and is a free downloadable add-on to Server 2003:

    That used in addition to specifying the specific program in the User's Environment settings should do the trick.  However you may want to review the Terminal Server Lockdown Best Practices as well:


    Expert Comment

    You do it through group policy. Here is a step by step guide to apply a locked down group policy on a terminal server:

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
    Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now