Setting RDP for one application on WS2003

hconant
hconant used Ask the Experts™
on
I have a WS2003 which I have used RDP for administrative access basically as a web server.  I have been the only user accessing this server so I had full RD amin access.  Now I would like to use this server as a Terminal Services server for my company Quickbooks Pro application and need book keepers to access the application, but not any other areas of the server.  So I need to setup RD clients that will have restricted access only to the Quickbooks application and associated data files.  Step by step help would be appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
By default, WIndows 2003 server is only setup for RDP for administration. If you want to turn into an application server, you would have to install Terminal Service, and license those.
To you can check these two links for step by step on installing Terminal Services on Windows 2003 Server

http://www.windowsnetworking.com/articles_tutorials/Windows_2003_Terminal_Services_Part1.html
http://www.windowsnetworking.com/articles_tutorials/Windows_2003_Terminal_Services_Part2.html

Hope this helps,

Author

Commented:
I actually had gotten through most of that.  What I am getting stuck on is assigning a particular users permissions that upon RDP login perhaps an autoexec.bat will start, or some other process,  and they are greeted with the applications login (in this case QuickBooks), and nothing else.
Michael OrtegaSales & Systems Engineer

Commented:
After you install Terminal Services you'll want to setup a security group for the restricted users and add them to the local Remote Desktop Users group on the Terminal Server. You do not want to add them to the local Administrators group. Further restrictions you should manage through Group Policy, e.g. disable access to windows explorer, control panel, etc.

MO
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Michael OrtegaSales & Systems Engineer

Commented:
You can create a custom RDP connection as well as the recommendations I made above and add the Quickbooks executable to the RDP connection. This will basically immediately launch QB in the session and nothing else. I recommend that you also enable a session timeout/disconnect/reset policy on the Terminal Server so that the sessions don't get hung up endlessly after a user disconnects.

MO
Michael OrtegaSales & Systems Engineer
Commented:
START | RUN | mstsc

Click on Options
Click on Programs tab
Enter the local path on the terminal server to the quickbooks executable
Click back on the General tab
Save As
and save to the users' desktop

MO
Ok .. so I believe what you're wanting to do is assign different permissions in Terminal Services.
This is actually going to be a result of a bunch of changes that you make.

This is going to depend on whether Quickbooks will actually run for users who have, for instance, user privileges on the server.
If they do, then you can add them to the "Users" group, and give them explicit permissions for any place that they need write access to. By default, users have access only to their own profile.

In addition to that, and if you want to limit their experience, I usually implement a GPO, and scope it to the users who will be logging in to the terminal server. Aside from the regular settings that you would usually assign to allow Terminal Services access, I would setup user configuration restrictions, as well as Computer configuration restrictions to the user. So now, you'd be able to make it as tight as relaxed as you want.

One thing to remember, if your users have access to other computers in the domain, you want to make sure that these extra tight policies won't apply to them when they login to their own workstation. For this, make sure you use the Loopback processing policy / Merge mode...
What this will do, is when the user logs in to their own workstation, then their computer and user policies will apply, but when they login to the terminal server, then their user policies will apply, in addition to the Terminal Server computer configuration policie, and the user configuration policy, merged with their own OU's user configuration policy.  (if you choose "Replace" mode, then their own OU's user configuration will completely be ignored, and the terminal server's user configuration will apply only).

This is just a general guide. You can find some additional information about Loopback Processing policy here:
http://support.microsoft.com/kb/231287 

As for launching quickbooks, you can add this to their login script, either by placing that script in your \\dc\netlogon\login.vbs, and adding it to the login script field under "profile" in their AD. OR, you can add it within that group policy (I would personally go with this one in this case), in the User/Policies/Windows Settings/Scripts (Logon/Logoff).

There are as many tweaks for lockdown that you can perform as your mind can come up with solutions. You can go as far as replacing the Explorer shell with another one, and make the terminal service session run in Kiosk mode if need be... .
Mgortega... I think that's a great idea, but if a user really wants to,  can't they establish a connection to the server without the execution of the local path and gain access to the server?

Perhaps, your solution, in conjunction with GPO restrictions would be ideal ?
Michael OrtegaSales & Systems Engineer

Commented:
Let me clarify that with the custom RDP connection, QB will launch in the explorer shell and the user will have no access to anything else, e.g. desktop icons, start menu, etc. If they were to close out of QB they would have nothing but a blank screen. For the average user this would appear real secure. For someone who knows what they are doing and wanted to get access of disrupt things could still get access to the shell, and thats why I recommend that you still make sure to create restrictive GPO's and apply them to the TS and/or Users in question. The custom RDP connections just makes the experience to the user and those administering the system real clean and easy to use.

MO
Michael OrtegaSales & Systems Engineer

Commented:
gkhairallah, that's why in my comment that you read through I said "You can create a custom RDP connection as well as the recommendations I made above ...". The comment previous to that one mentioned hardening access on the Terminal Server for those users through Group Policy.

MO
I think our comments crossed paths ... I posted mine before seeing your follow up  
Thanks for the clarification ...  :)

Author

Commented:
Let me explain further.  The goal is actually eliminating our small 5 user LAN which we use for some file sharing, Quickbooks, and Exchange.  Our small company not longer needs the overhead of maintaining the LAN and connection speeds and technology of remote access appears we can do this all remotely.  So, we have a dedicated remote server which have configured for our web sites, and now would like to setup our Quickbooks and backup files.  So there will be NO attached clients.  All access will be remote.  So the office worker who used to only do accounting, now will access QB through RDP and will not need access to anything else.  So there is not concern about cross permission conflicts or anything of the sort.  I suppose simply setting up the QB app on the users desktop would suffice, it just seemed cleaner, and I have seen it done, to have the app launch directly from the RDP login.  But maybe I am complicating it too much.
Michael OrtegaSales & Systems Engineer

Commented:
Actually you simply reposted what I said originally gkhairallah. Check my original comment and then the comment I made right after that. I originally said restrict through group policy and then I mentioned to create a custom RDP connection on the users' system to keep the session clean.

MO
I don't know too much about quickbooks. but, I believe what you can do, given the correct version of quickbooks, is setup a quickbooks server, where the database will reside, then install a local client version on the user workstations, then, through a VPN connection, or something equivalent, have them open the database remotely on the server via their locally installed client.

The fact that there are no attached clients, as you mentioned, is related to the use of Quickbooks. However, if you do have a local domain controller on site (if the machines are joined to a domain), you still have to deal with figuring out the application and inheritance of group policies in the instance of local login vs. terminal services login.

If quickbooks is at the right version, I think this will be your simplest solution, and don't worry about figuring out Terminal Services.
Michael OrtegaSales & Systems Engineer

Commented:
Ummm. hconant, did you miss my comments and specific instructions on setting up a custom remote desktop connection so that the QB app launchs directly? What your asking for is exactly what I explained how to do.

MO
That's really weird mgortega.. for some reason your first two comments just showed up on my thread, for a while there, I had only seen your suggestion of changing the setting in mstsc. It's either that, or I may very well have inadvertently overlooked it...   it's all good  .. :)
Michael OrtegaSales & Systems Engineer

Commented:
hconant, contrary to what gkhairallah just mentioned DON'T install a local client and try to access the QB company file over a slow internet link. Unless your server is behind an internet connection with a 100Mbps upload and your remote user has the same download bandwidth the experience is going to be horrible. Opening QB might take 30 minutes. Saving changes, etc. will likely take the same amoutn of time.

Just use the custom RDP connection like I explained above. That will do exactly what you're asking for.

MO

Author

Commented:
I was gong to say I got them, but they are all crossing each other as they are arriving quite rapidly.  I tried setting up the QB remote file server all day today only to find it way too slow.  So RDP it is, if it is to be at all.  I think with the info I have from above I should be able to get this going.

Author

Commented:
Thanks for the help guys

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial