Limited remote desktop access to user on Windows Server 2003


I have a desktop application installed on a server running windows server 2003. This is a standard account software - MYOB and is meant to be used on a single desktop.

I would like it to be accessible on a different computer within the network that runs Windows XP. I'm wondering if I can create a user account for remote desktop so that a person can login using MSTSC and have access only to the given application and nothing else on the server. The user should not be able to see other apps or folders that they don't have access to and should not be able to make any configuration changes to the server.

Is this possible?

Who is Participating?
The problem with this idea is that if MYOB isn't configured for multiple user access, if multiple remote desktop connections access it at the same time, you might scramble your data.  I suspect this is possible by figuring out where MYOB and data directories are installed and giving Read and Execute rights to these directories to the remote desktop user.  There are some rights that come with the remote users group, but you should be able to limit them so that they can't browse around your server.
Hypercat (Deb)Commented:
In addition to what Paka said, if you want to use the application in terminal server mode, you would have to:
1.  Configure and license the server as a terminal server.  By default, servers are only licensed for remote administration over a remote desktop connection and the user would have to log on with administrative permissions.
2.  You would most likely have to uninstall and reinstall the application so that it is configured and installed properly for use in a terminal server environment.
3.  Also, if there is going to be more than one user using the application at a time, as Paka said, you would have to license the app for multiple concurrent users.
anuragcAuthor Commented:
Thanks Paka and hypercat,

Both your comments helped me resolve my issue.

I have installed the terminal server role and terminal services licensing server. A given user can now log in and based on folder permissions only has access to the MYOB data files and nothing else on the data drive. The intention is not to have multiple users using an app - just one user using it remotely from a thin client.

The user does have access to all currently installed applications on the server though. I'm assuming any new applications I install as administrator (and these are server apps for admin reasons, not user apps) - I will somehow have the ability to only have these visible and accessible to the admin.

Any further thoughts and tips for this will be appreciated, otherwise I'll close this question.

Hypercat (Deb)Commented:
Just make sure you have locked down user permissions on the terminal server.  Look at the group policies and terminal server configuration settings.  Group policies are at:
Computer Configuration/Administrative Templates/Windows Components/Terminal Services
User Configuraiton/Administrative Templates/Windows Components/Terminal Services
In the Terminal Server Configuration console, be sure you have set the Permissions Compatibility to Full Security if possible.  You can also control access of course with NTFS permissions, and move any icons for sensitive programs out of the All Users profile and into your administrator profile so that the user can't see them.  He/she wouldn't be able to run them anyway, but it's of course better if they can't even see them.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.