Windows 7 RDS workstation - restrict to RDS only

I am looking for a means of locking down Windows 7 workstations in a 2008 R2 RDS environment so that the only thing users can do is run the RDP client on it. What should happen is that when anybody turns the computer on is that at the end of the boot process they find themselves looking at an RDP client 'enter your login name' prompt. The users should have no access to the local system - only an administrator would be able to access any of the local resources. How would I go about doing this?
lineonecorpAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yo_beeDirector of Information TechnologyCommented:
I just did a search on the internet and found this link.
I have not tried this, so I would stand up a test OU with some test objects in it.

http://jaredheinrichs.com/how-to-turn-a-windows-7-pc-into-a-kiosk.html
yo_beeDirector of Information TechnologyCommented:
You will also probably  want to have RDP start-up at logon as well as placing the shortcut to RDP on the desktop as well.

The startup folder  is %systemdrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

User's desktop is %userprofile%\desktop
yo_beeDirector of Information TechnologyCommented:
For testing you can also try using RD WEB.
if you have this bat file placed in the start up folder listed above this might give you one more layer of lockdown.

iexplore.exe -k "URL"

example iexplore.exe -k  "https://InternalRDService/RDWEB"

You might want to remove the ability for standard users from using Ctrl + Alt + Del as well
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Radhakrishnan RSenior Technical LeadCommented:
Hi,

Better suggestion would be ask the users to log off the machine once they finished as this is a default behavior for some security reasons. If the current user doesn't log off the current session and shutdown the machine, it will act as the machine is locked and will look for the latest authentication and it says locked and only admin privileged users can unlock it.
lineonecorpAuthor Commented:
Thanks for all the tips.

 yo_bee:

Yo write:

"For testing you can also try using RD WEB.
if you have this bat file placed in the start up folder listed above this might give you one more layer of lockdown.

iexplore.exe -k "URL"

example iexplore.exe -k  "https://InternalRDService/RDWEB"

**** Why would this be one extra layer of lockdown?

You might want to remove the ability for standard users from using Ctrl + Alt + Del as well

**** How? Group Policy?

++++
 radhakrishnan2007:
You write:
Better suggestion would be ask the users to log off the machine once they finished as this is a default behavior for some security reasons. If the current user doesn't log off the current session and shutdown the machine, it will act as the machine is locked and will look for the latest authentication and it says locked and only admin privileged users can unlock it.

**** How would I implement this?
yo_beeDirector of Information TechnologyCommented:
Note this suggestion is to leverage Remote Desktop Web.  This is another feature that is not enabled by default when adding Remote Desktop Services Role.  You may need to go back to Roles and add this.


**** Why would this be one extra layer of lockdown? ****
By running this you are setting the webpage to a full screen (like pressing F11), but the users will not be able to exit the full screen mode.
By doing this you removing the user's ability to navigate out to another area of the computer.

**** How? Group Policy?
The reason for this part is to restrict the users from accessing Task Manager so they cannot end the IE process or start another application if they know how.

How to set this option in Group Policy.  First and for most you must be running in a Domain infrastructure and not work group to be deploy Group Policies.
You can set the computer policy if you are not in a Domain infrastructure, but you will need to access each computer one by one to make these changes.

To edit in Group Policy:
On a Domain Controller or a Server/Workstations that has RSAT run GPMC.MSC
On a computer that is not a member of a Domain use GPEDIT.MSC

The setting you are looking for is Ctrl + Alt + Del
This is located user User Configuration > Administrative Templates > System > Ctrl + Alt +Del > Remove Task Manager {enabled}

Remove Task Manager

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lineonecorpAuthor Commented:
Thanks for the additional info. Let me give it a try and get back to you.
lineonecorpAuthor Commented:
Having trouble freeing up time. I will close and when I get around to this and have any further questions will post then.  Thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.