Limiting RDP access to one program and a directory in Server 2008 Enterprise

We are currently running a Windows 2008 Enterprise Domain Controller.

We are wanting to establish a User profile that will limit a username to open one Quickbooks file and have access to one directory for uploading and downloading.

We are wanting to have the user login through RDP and either scenarios to happen:

Scenario 1 -
     User logs in
     Quickbooks launches and opens company file
     User sees QB open and asking for a password (because QB asks it)
     User only has access to this one program & file with no other options except the following
     User has 1 directory "only" on their desktop that they can save and retrieve files from.
     User has permissions to utilize local pc peripherals for printing

Scenario 2

    User logs in
    Their deskop opens and all they see is a QB company file
    They have permission to open that file and run Quickbooks
    They also see a directory
    They have access to that directory to read, save, delete, and retrieve

I have created users, and setup the AD Environment to automatically open the file.  Symptom, the user logs in and sees the desktop, no program runs.  I would prefer scenario 1 but scenario 2 would be a good second option.

Thank you for any help/direction you can give for this issue.

Who is Participating?
chris_martin62Connect With a Mentor Commented:
I think the best way to set it up is like I said at first for you QB users. You will never get to the desktop so you don't have to worry about them accessing anythine else. If you are going to have more than two users you need to have terminal services setup on the server. Which is going to require licenses. Either way you do this you need the licenses Unless all your users use one username.  

If you already have the RDP setup on the server just test it with you Admin account just add the path in the programs tab. it would be something like C:\Program files\Quickbooks\Quichbooks.exe thats just example.

What should happen is when you log into the machine with that a blank desktop comes up then the program opens Users should not have a start menu or anything.
for Scenario 1 i have done this before all you have to do is configure remote desktop on the users side.

On the Programs tab just enter in the path with exe. for the program to start and what folder you want it to start in if need.

Oh for got to tell you have have to run the server a terminal server and you will need the Lic for it.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

shaw71Author Commented:

Anyway to demo this before purchasing the license? I thought terminal server would work for 1 user.

Also, how do I limit the access for only that program/company file and directory?

Sajid Shaik MSr. System AdminCommented:
If what you want is to enable access to this program only, you can change the Interface file name to be another program in place of explorer for desktop.

This will start this program when the user log on the server and when he close the program the rdp session will end too.

The better is to make this by GPO to users that log on terminal services at the domain level and deny the apply policy to domain admins group to allow admins to log on the server normal, but you can do this with Local Policy.

You can config it in Local computer policy

# Click Start, and then click Run.
# In the Open box, type mmc, and then click OK.
# On the File menu, click Add/Remove Snap-in.
# Click Add.
# Under Available Stand-alone Snap-ins, click Group Policy, and then click Add.
# If you do not want to edit the Local Computer policy, click Browse to locate the group policy object that you want. Supply your user name and password if prompted, and then when you return to the Select Group Policy Object dialog box, click Finish.


Use the following config

User Configuration
Administrative Templateshide
Policy Setting
Custom user interface Enabled
Interface file name (for example, Explorer.exe) "C:\Program.exe"
If you are only using it with one person then yes you could do that and use it as an adminstation terminal server.
If you are only using it with one person then yes you could do that and use it as an adminstation terminal server.
shaw71Author Commented:
I have uploaded an image of what we are trying to do, to bring clarification.  It is a JPG attached.

We are wanting to control access and what they view via the server not the local RDP connection.  


shaw71Author Commented:
I have terminal server setup. Will try that. The only other concern I have is that the user should have access to 1 directory along with their file. Will test and get back.
serchlopConnect With a Mentor Commented:
You can restrict access to local drive with GPO or Hide drives

In a GPO - USer configuration - administrative templates - Windows components - Windows Explorer - Prevent access to drives from my computer
or hide these specified drives

Then you can config a home folder for the user in terminal Services Profile tab
AD Users and computers - User Properties - Terminal Services Profile Tab - Terminal Services Home folder - Set any of these options to allow a user access/view this folder
serchlopConnect With a Mentor Commented:
Another option if you use only one file per user, then you can add the filename as a parameter. You can view in registry how application open a file extension when you double click a file, then use this as parameter with the app.


Excel.exe sheet.xls

In this way the user don't need to browse a folder.
All Courses

From novice to tech pro — start learning today.