Solved

Concurrent Remote Desktop Sessions for Specific Users

Posted on 2013-12-02
5
168 Views
Last Modified: 2014-09-30
I have a terminal server that specific users need to be able to access in concurrent sessions.

NOT ALL USERS should be allowed concurrent sessions.

The below GPO is being applied to specific users in the SECURITY FILTERING for the GPO. When the computer is listed in SECURITY FILTERING, the GPO overrrides the specific users listed and applies all settings. If the computer is not included, the GPO does not apply for any users.

Here are the details for the GPO that I created:
Administrative Templates
Policy definitions (ADMX files) retrieved from the local machine.System/Group Policy
Policy Setting Comment
User Group Policy loopback processing mode Enabled  
Mode: Merge
 

Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections
Policy Setting Comment
Restrict Remote Desktop Services users to a single Remote Desktop Services session Enabled  

Windows Components/Remote Desktop Services/Remote Desktop Session Host/Remote Session Environment
Policy Setting Comment
Remove "Disconnect" option from Shut Down dialog Enabled
0
Comment
Question by:NSBConsulting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 25

Expert Comment

by:Coralon
ID: 39694459
That is a machine level setting - It's not a user level setting.  It will have to be all or nothing on a per-machine basis.

To accomplish what you want, you'd need to break up your machines into 2 groups, and apply 2 different policies, and put the apps out for the different groups.

Coralon
0
 
LVL 1

Author Comment

by:NSBConsulting
ID: 39694467
Coralon,

Thank you. Since this only one machine, I'm gathering from your comment that I'm pretty much SOL on configuring it to allow standard users a single session and administrators multiple sessions.

The reasoning is that the client has legacy software that needs to run, but Server 2008 UAC prompts for permissions when the software is run. In order to get around this, I've created a REMOTEAPP for the software and have saved the Administrator credentials in the RDP file that is created. Users can now run the software without UAC prompting, but this also allows multiple user sessions for standard users, which can be a problem (because these users are all novice to how terminal services operate).
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 500 total points
ID: 39694508
AH.. ok, this is possibly doable.  With 1 machine, the GPO option will not work at all, since you can only use one setting.

Try setting the compatibility layer for the users by GPO.  This is the equivalent of setting a shortcut that has Run As Admin set.

You'll use a GPO to set this flag for the users:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
The value name will be the full path of the executable, and the value data will be RUNASADMIN.
IF your Win2k8 system is a 64bit system, then this path is for 64bit software.  For 32bit software, you'll use HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers.

So.. if it were a 32bit program on a 64bit system installed in c:\program files (x86)\MyApp\Myapp.exe, then my value will be:
HKLM\Software\Wow6432Node\Microsoft\Windows  NT\CurrentVersion\AppCompatFlags\Layers
c:\program files (x86)\MyApp\MyApp.exe = RUNASADMIN (REG_SZ)

Coralon
0
 
LVL 1

Accepted Solution

by:
NSBConsulting earned 0 total points
ID: 39694517
Coralon,
If this the equivalent of setting the shortcut RUN AS ADMINISTRATOR, won't the user still be prompted for credentials, just as if I set the shortcut to RUN AS ADMINISTRATOR?

AD is not my strong suit, so, if applying the GPO per your suggestion overrides the prompt for credentials, please forgive me.

Thanks for your help.
0
 
LVL 1

Author Closing Comment

by:NSBConsulting
ID: 40351782
Assisting member stopped following-up on issue.

Resolution was found in Microsoft Press Manual 70-643
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question