?
Solved

Remote Desktop Services - RemoteApp - no connect with this group policy enabled?

Posted on 2012-04-04
13
Medium Priority
?
2,359 Views
Last Modified: 2012-05-14
We're playing with the RemoteApp for the 1st fine.  For years we've only used the standard Remote Desktop connection PC application.   Aok.

With Group Policy Enabled "Use Only Allowed Windows Applications", and a real simple example using Calc.exe.    RemoteAPP fails to connect and run Calc.exe.   Just sort of hangs there and then dies.   Nothing in Event Logs.   Works aok as soon as we disable the policy.  We tried both access via the .msi created icon  and the Web RDWeb page.  

The group policy is in User Configuration | Administrative Templates | System.  Been working as expected for us for a long time, just not with the new RemoteApp.

After searching google,  we tried adding more allowed applications to the allowed list such as rdpshell.exe, rdpinit.exe, rdpclip.exe, and about 25 others windows o/s related apps.  We also looked at C:> Query Process *  when successfully connected w/ policy disabled and made sure we had the few exe's shown also in our policy's allowed list.

Question:  What do we need to add to "Use Only Allowed Windows Applications"?   Does anybody have RemoteApp working with policy "Use Only Allowed Windows Applications"?  

Yes client PC is running RDC 6.0.6001 protocol 6.1 supported.

Any comments appreciated.
0
Comment
Question by:JReam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 7

Assisted Solution

by:Jayanta Sarmah
Jayanta Sarmah earned 200 total points
ID: 37810743
Just a though, if the below helps you find out the file needed:

Enable "Failure attempts" on the Audit Policy "Audit process tracking"
and "Audit object access", and then check the event log after trying
to start calc.exe
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 37812095
Did you remember to allow remote desktop connection? %windir%\system32\mstsc.exe
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 600 total points
ID: 37812220
Hi.

Please clear this up: where is "Run only allowed Windows applications" in effect? at the server or client side? Also: how did you publish the remoteApp? Did you distribute an msi or? Because after activating remoteApp at the server site, we can no longer connect to the server via rdp and start shells other than explorer or published remote apps (I am talking about this: mstsc.exe - options - programs - "start the following program on connection"). So if you use that way to start calculator, it will fail, unless you first published calc.exe as remoteApp.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Author Comment

by:JReam
ID: 37812333
From original question poster.  Thank you all for your replies.  Let's keep the dialog going.

To ve3ofa:  mstsc.exe is the client-side Remote desktop connection application which gets the connection started in the first place.  I don't see how that app would be of concern on server side for apps allowed since the mstsc.exe on the serverr itself is not needed.

To sarmahjay:  Interesting and we're going to try that later today.

To McKnife:  The policy is a Domain-level policy.   Our remote users are in a Users Group that we set up and are in the policy's delegation.  Pretty staight forward.   We distributed both an MSI and set up the standard web interface RDWeb,  both ways connect and launch calc.exe perfectly fine with RemoteApp but only when the Policy is disabled.   We're not messing with mstsc command line options, er unless the auto created calc.rdp is.... here's the .rdp file:

redirectclipboard:i:1
redirectposdevices:i:0
redirectprinters:i:1
redirectcomports:i:1
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
span monitors:i:1
use multimon:i:1
remoteapplicationmode:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
authentication level:i:2
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:0
gatewaycredentialssource:i:0
full address:s:tech.esensory.com
alternate shell:s:||calc
remoteapplicationprogram:s:||calc
gatewayhostname:s:
remoteapplicationname:s:Calculator
remoteapplicationcmdline:s:

Open in new window

0
 
LVL 56

Expert Comment

by:McKnife
ID: 37812372
So calc.exe is on the list of allowed programs?
You might think about the sense of using this policy at all. The protective effect is next to nothing, see the description of the policy.
0
 
LVL 1

Author Comment

by:JReam
ID: 37814197
McKnife:  Yes calc.exe is on the list of allowed program.   We put it in there for this testing.  

Mcknife:  We thought about dumping the policy as you suggested.   I'm generally a security fan of blacklisting everything then whitelisting stuff as needed.    This strategy of using this Policy enabled has been worked fine for years with Terminal server and still works with new 2008 RDS, just now the new RemoteApp.     I'd hate to dump it for the RemoteApp, especially when RemoteApp should really be able to coexist with the policy.  

McKnife:  And worth mentioning here, we did try turning off the policy for a while and immediated noticed that upon remote user login all sorts of MS crappy apps launch automatically on startup, such as the infamous Narrator.exe Magnifier.exe Ease of access, , all of which amazingly is not easy to turn off , another can or worms for us to ms troubleshoot, I like the tight policy enabled approach better.
0
 
LVL 1

Author Comment

by:JReam
ID: 37814251
To sarmahjay:    We tried the Audit failure suggestion.  Yes we saw many more entries in the event logs for Process Creation and Process Termination.     We added EVERY process we saw in there by file name to  the policy's allowed list.  Made no difference.    RemoteApp connects, hangs, and after 30 seconds or so closes the RD window.

I'd be cursious if anyone anywhere is actually using RemoteApp with the Group Policy Enabled "Use Only Allowed Windows Applications".   Maybe it's just flawed at the core.

Here's my current expanded list of "Allowed" applications, most if these entries are new in this policy's list while trying to attempt to get RemoteApp working.  Previously we only needed to put in the obvious app names such as excel.exe and winword.exe.


excel.exe
explorer.exe
iexplorer.exe
ois.exe
winword.exe

and added all of these:
rdpshell.exe
rdpclip.exe
rdpinit.exe
userinit.exe
cmd.exe
gpupdate.exe
conhost.exe
consent.exe
acregl.exe
dwm.exe
atbroker.exe
gpscript.exe
TSTheme.exe
taskhost.exe
Dllhost.exe

I even tried stuff like *.* and *.exe. Also tried a few dozen other file names in there not worth listing here.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 37815520
OK, here's what you should do: dump that policy and use software restriction policies instead - those are more secure, even. Maybe the problem is solved, too.
0
 
LVL 83

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 200 total points
ID: 37815761
I don't think you are clear on what you want to accomplish.

Here is a description of remote App
Here are instructions on how to install it.  After following these instructions, adding a few programs, I first used Internet Explorer to browse to the rdweb website and installed the certificate into my trusted root (it was an self-signed Certificate)

I was then able to do the items shown on this video

No playing around with restricting programs on the client..
You can restrict remote desktop to only admins and only present the 'apps'
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 37815772
Please clear this up: where is "Run only allowed Windows applications" in effect? at the server or client side?

Client Side -- depends upon who the gpo is applied to
Also: how did you publish the remoteApp? Did you distribute an msi or?

no went to control panel / remote app and desktop and then connected to the server after setting up a new connection.
https://servername/rdweb/feed/webfeed.aspx


Because after activating remoteApp at the server site, we can no longer connect to the server via rdp and start shells other than explorer or published remote apps (I am talking about this: mstsc.exe - options - programs - "start the following program on connection"). So if you use that way to start calculator, it will fail, unless you first published calc.exe as remoteApp.

Don't do this (unless you REALLY, REALLY need to) as it is a real pain.
0
 
LVL 56

Accepted Solution

by:
McKnife earned 600 total points
ID: 37817285
To me it is clear what he wants to accomplish. Until now he used RD, (full session) now he would like to use RemoteApp. This fails, because somehow the policy "Run only allowed Windows applications" is interfering.

Software restriction policies offer logging. So if the same problem appears with SRPs, you will at least know what process was blocked and has to be allowed.
0
 
LVL 1

Author Closing Comment

by:JReam
ID: 37966507
We never did figure this out.    RemoteApp somewhere under the hood has a bug, it is MS afrerall.  We'll wait for another chance down the road to give it a try.   In the meantime we're looking to other remote access options.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 37966576
May I comment on the closure:
I appreciate the points, but you did not try to follow my advice. ->Use software restriction policies! They have logging, so you will see what is going on!

...that would have been better than accepting with a C grade, too ;)
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. Theā€¦
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question