Link to home
Start Free TrialLog in
Avatar of hmcnasty

asked on

Another Terminal server question

If a user is logged on to TS is there a way to keep them from logging off to the regular desktop without a password? It seems as though the person could just disconnect the session whenever he or she wanted to.

Avatar of rgonser

You could use group policy to "remove the log off" as well as "remove shutdown button" feature for these users and then whenever you need to log them off, use the runas command to run the shutdown command administratively.
Avatar of Brian
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of hmcnasty


That's a great document.  I think what I am really trying to do is make it so that when a particular user logs on to a machine the machine goes directly to TS instead of logging on to the machine first then going to TS from Remote desktop.  Is this possible?

Yes you could lock that machine down so that the only icon they see on the desktop is the Remote Desktop connection.  That docuement should talk about that.  If not i would do a search for locking down a desktop with group policy on google.

or stick your RDP connection in the startup folder and on load away you go.......remember though, there will always be ways for the user to log off the session. shortcuts, task manager on local machine etc etc
Jay Jay

I need a way so that when I log on to the machine using the Member account it goes right to TS.  Kinda like roaming profiles.  If the kids log off TS and it logs out of the machine that's fine.  I just don't want them to log off and get to the regular XP desktop.  Do you know what I mean?  I hope I'm explaining it correctly.
i know exactly what you mean :) but i am dubious as to its availability - at least, i havent ever seen it done, but maybe one of the others has
An idea from "out in left field";
Rather than using the standard Remote Desktop Client, perhaps consider using the Remote Desktop Web Connection, and then configure the PC, using group Policy and Internet Explorer to force IE to use Kiosk Mode. Kiosk mode is often used to limit user access to the local system on Kiosks in malls and such locations. You will need to lock it down fuhrer with Group Policy, but there are lots of article on the web to assist you with doing this. Then you would have the System boot to Internet Explorer and use the Terminal Server's logon as the home page.

Another thought, though it requires new hardware, is to use Thin Clients, rather than PC's. They are specifically designed to do exactly what you want, only allow TS access to the remote system. Greatly reduces maintenance and initial hardware purchase costs. A couple of available systems:
I think I'm going to go ahead and just lock down the desktops.  Do you think I should lock them down per machine policy or through the domain policy?  I havn't done this before so I don't want to mess it up.

Thank you for everyone's help.

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
OK...Let me make sure I get this.

The user's I want to lock down are "members".  These are the kids that will be using TS.  

Do I....
add these members to a group.
open the MMC.
open the group policy editor.
add the group
use the administrative templates
lockdown the desktops
your policy is applied to an OU not a group

right click on the OU, properties, group policy
I see...

Do I have to write these myself?  I dont' see anything that resembles policies for a desktop.   I was looking for something like the group policy editor in XP.

its all there mate, exactly the same as local policies, just create a new one and edit from there
If you don't already have it, the free Microsoft Group Policy Management Console makes it easier to view, edit, and create policies: