Solved

Windows Thin PC - RDS Solution

Posted on 2014-04-23
14
815 Views
Last Modified: 2014-05-06
I am looking to repurpose some of our older pcs to run Windows Thin PC.  I would like to set them up so that when a user logs onto the Thin pc, it automatically starts mstsc.exe and connects to the RDS server.

I would like for the user to never see the desktop or taskbar of the thin pc.  When they log in, I want it to go strait into the RDS server as single sign on.

I have seen multiple ways to do this online, but what is the cleanest most efficient way to do this?  If possible, I prefer doing it by GPO so it can all be handled at the server level.  But we cannot have user configuration GPO's as the users will move back and forth from these pcs to real desktops.
0
Comment
Question by:considerscs
  • 7
  • 5
  • 2
14 Comments
 
LVL 14

Accepted Solution

by:
BlueCompute earned 357 total points
ID: 40019556
You can have user configuration in Group Policy that is only applied when the users log onto a particular set of computers. Look up Loopback Policy Processing. You can then create a policy that applies the MSTSC settings you want when the users log onto the Thin PCs, but doesn't trigger when they log on to a thick client.
0
 
LVL 1

Author Comment

by:considerscs
ID: 40019918
For this policy, would you be thinking we use a script to do this at startup?

If so does anyone have a good script to use?  I am not much for scripting so I have found some online, but just want the cleanest was possible for this.
0
 
LVL 14

Assisted Solution

by:BlueCompute
BlueCompute earned 357 total points
ID: 40020029
The question's pretty expansive and there's a lot of ways to achieve this. What I'd do is:

Set up a local user account on the thinPC with auto-logon.
Create an RDP file with the right details (server name etc) and save it locally.
Use group policy to replace the default shell with "mstsc.exe <path-to-your-rdp-file>"
Use Group Policy to lock down the local user so they can't run explorer or task manager. There's pleny of guides around on how to use GP to lock down users.

Other people are using a script in the startup folder; I don't really see why this is necessary - we just want to prevent explorer.exe from starting and run mstsc.exe instead and use Group Policy to stop the user opening task manager or the Run dialog.
That's a pretty high-level overview, if you want more detail on a particular section let me know.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 143 total points
ID: 40021341
We use software from ThinLaunch.com . Pricing starts at $35 per computer including $6 in maintenance, and pricing goes down as volume goes up. It does exactly everything that you are looking for and more, and is easy to deploy and configure. Can all be done with group policies. Their web site is horribly old, they have a new Thin Desktop 3 but you can't find it on their old web site, and they still haven't launched their new one. You can contact them to trial their current software. Their older software is pretty good too.
0
 
LVL 1

Author Comment

by:considerscs
ID: 40029760
Thanks for the help so far.

I have been working on this and have it working locally.

For me to be able to launch this over an entire network which would include 100 or so computers, i want this as fully automated as possible.

So I want the user to walk up to a machine and they see the normal windows logon prompt, when they login with their domain credentials, it passes those credentials through to the rdp session automatically and it logs them into the RDP session.  When they log out, I want it to go back to the windows logon screen.

Is this possible through group policy without having to use a third party app?  There is so much out there about this and everyone does it a different way.  I have not been able to piece together this exact scenario as of yet.
0
 
LVL 14

Assisted Solution

by:BlueCompute
BlueCompute earned 357 total points
ID: 40029781
As I mentioned, the answer would actually be to have the PC auto-logon to a local account, and run the RDP client. They'll then see the *remote* login prompt as the first thing they see; they still get one login prompt and they're done.
It could be done the way you describe, it's just a fair bit more work. You'll need to read up about configuring Single Sign On for mstsc and Group Policy Loopback Processing and I'm really not sure what advantages you get by having the domain user logged onto a Windows Thin PC client which can't do anything without running the remote desktop client anyway? Seems like a lot of work for much the same result.
Sounds like you're pretty close to a solution anyway; if you've got some questions a little more specific about either implementation I'll be happy to help.
0
 
LVL 1

Author Comment

by:considerscs
ID: 40030044
Ok i have it working through GPO to automatically log in a local account and pull up RDP with a saved RDP file.

I want to change the way the RDP login looks.  Right now by default it pulls up the username of the currently logged in user automatically.  I want to have the username field blank so that whatever user walks up, they enter their username and password.

Most of our users would not even attempt to click "User another account".  They would attempt to put their password in and then submit a ticket when it doesnt work.

So for ease of use, I want to make that ask for username and password each time.  I have been combing through GPO and Google, and have not found the way to change this as of yet.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 14

Assisted Solution

by:BlueCompute
BlueCompute earned 357 total points
ID: 40030137
Aha, I saw this one on another server the other day. I don't have access at the moment but I believe the setting was Computer Configuration\Administrative Templates\System\Logon\Always Use Classic Logon - this depends a little on whether the Remote Desktop Services role is installed on the server and which version of Windows your session host is running.
0
 
LVL 14

Assisted Solution

by:BlueCompute
BlueCompute earned 357 total points
ID: 40030907
Apologies, just realised you're probably actually talking about the pre-logon authentication prompt that's part of RDP 6. This can be disabled by adding
enablecredsspsupport:i:0 

Open in new window

to your RDP file, however this disables pre-connection authentication which is used by default on Windows 2008 and newer. This can be disabled as described here however this is a less secure configuration particularly if your RDP server is accessible directly from the internet. If that's not an option then we're back to single sign-on as being the most user-friendly solution. It shouldn't actually be terribly hard, from where you are now you should just be able to enable terminal server single sign-on and log on as a domain user? With your current group policy settings for this are you applying anything to the user side, or is it all computer policies?
0
 
LVL 1

Author Comment

by:considerscs
ID: 40033134
ok here is where I am, I got it working with auto login, but I decided it would work best for users to walk up, sign onto the thin client and it auto login with SSO to the RDS server.

I have it working to log in from the thin client, but the SSO is not working so far.  I have the GPO's created and I see the changes in the registry on the thin client.

But upon login, I get the RDP connection client asking for credentials.

And after this, when the user logs out of the rdp session i want it to log out of the thin client automatically.  I know this part is probably scripted.

Anyone have any ideas on the SSO?
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 143 total points
ID: 40033235
Have you run through these steps for enabling SSO? SOme of it needs to be done on yout RDS host.

http://technet.microsoft.com/en-us/library/cc742808.aspx
0
 
LVL 1

Author Comment

by:considerscs
ID: 40033240
Yes I have been over those settings a couple different times through landing on that page multiple times with google searches.
0
 
LVL 1

Author Comment

by:considerscs
ID: 40045307
I have SSO working finally.  I blew away the old GPO and made a new and used a vbs script versus a cmd and now it is working.

Now I am working on when the users logs off the RDP session, it also logs them off the thin client.

Anyone have any good vbs scripts for this?
0
 
LVL 1

Author Comment

by:considerscs
ID: 40045466
Also now have that working.

Thanks for all the help.
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now