We are trying to stop users running their login scripts when logging into our terminal servers.
Whilst the users have a bit more freedom on their actual desktops, the terminal servers are locked down quite heavily with all desktop icons and IE settings delivered through GPO’s. There are a heap of other security items also controlled through GPO's - all in all we have tried to use GPO's for as much as possible to minimise the individual terminal server config etc...
The users logging into the servers come from various parts of the business, and have different login scripts that perform a lot of unrequired tasks on the Terminal servers. As a stop gap we have disabled access to cmd through GPO, which effectively stops the login script from running but there is another issue that comes from this. An error message is displayed on login albeit minimised. As a result the desktop stops loading until the user maximises the message and clicks OK before the desktop continues to load.
That said we would like a better method of disabling the login scripts from running on the terminal servers. We’d like a method that is transparent to the end user with no error messages etc. We also don’t want a solution that requires us to modify login scripts, as we can’t control the login scripts that may change and break things.
We’ve done some searching and can’t seem to locate a specific GPO setting, but would hope someone can make a suggestion that will cover this off. Hope that makes sense, but if not let me know.