Windows 7 - lock down local computer to RDP only

I have a Windows 2003 domain with 2008 RDS servers and Windows 7 clients. What alternatives are there so that the Windows 7 workstations only allow users to run the TS client - in other words prevent users from getting access to the local system?
lineonecorpAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

footechCommented:
Try setting Group Policy under Computer Configuration | Windows Settings | Security Settings | Local Polices | User Rights Assignment.  Set "Deny log on locally" to Domain Users, and "Allow log on through Remote Desktop Services" to Domain Users.  You could change the groups to suit your needs.  Note that if you set "Deny log on locally" to Domain Users, this will apply to Domain Admins as well, and this setting has priority over "Allow log on locally".  Local users should still be able to log on though.
0
lineonecorpAuthor Commented:
Thanks for this. However as far as your note about local users, there should be none -  I don't want anybody logging onto the PC to have access to the local system whether they are Domain Users or not. What should happen is that anybody other than the Domain Admin/local admin who  turns the computer on will only see an RDP client icon and that's all they will be able to access on the system.
0
footechCommented:
OK, scratch my last post.  I think I misunderstood your requirements.

What you're looking for is similar to how a RDS is locked down for users that access it remotely.  I'm not quite sure about the best way to approach this when talking about desktops.  Maybe using remote mandatory profiles but there might be too many hurdles to overcome depending on how many exceptions there are for when you want it to be used/applied.  The other way is through the use of a customized default profile that you will need to create on all the Win7 desktops through the use of sysprep (which you can configure to copy the Administrator's profile to be the default).

In either case you will then need to use Group Policy to lock down the workstations (I can't tell you all of the settings) to remove access to drives, deny access to context menus on the desktop and taskbar, remove elements from the start menu, etc.  I think you would have to use loopback policy processing to apply many of these user GP settings only on specific machines (i.e. the desktops), so that they don't apply to your RD sessions.  Sounds similar to a thin client scenario, but I've never used these, so I can't say how these are set up.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lineonecorpAuthor Commented:
Thanks for the additional inpu. I  wouldn't mind some more detailed information from someone who has tried this so I will close this question and post again.
0
footechCommented:
Thanks for the points.  Keep in mind that if you need additional input you can also use the Request Attention button.

Best of luck.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.