Solved

GPO Lockdown

Posted on 2014-11-10
7
123 Views
Last Modified: 2014-11-12
I'm looking to lock down a desktop so that only one application can be run. The user will RDP in and then start this single application. I'm thinking that a GPO would accomplish this. Is it possible?

Server 2008 R2, Windows 7
0
Comment
Question by:xmouser
7 Comments
 
LVL 2

Accepted Solution

by:
Michael Wade earned 350 total points
ID: 40432777
Yes.

Computer Configuration, Administrative Templates, Windows Components, Terminal Services, double-click the Start a program on connection setting, and then click Enabled.

http://technet.microsoft.com/en-us/library/cc736643%28v=ws.10%29.aspx
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40432924
Deploy a custom RDP file to the user. Create the RDP file on the Windows 7 machine they will be using, modify the settings as desired (screen resolution, enable/disable device redirection.

The Programs tab is what you'll be most interested in > specify the path to the program's executable > go back to the General tab > Save As > save the file to your Desktop with your desired filename > zip up the file > send to the user.

This will launch the program (and nothing else) whenever the user connects to the Windows 7 machine using this icon. There is nothing that will stop him from using the Remote Desktop Connection client on his PC though, which will grant him access to the full desktop. This is where Software Restriction Policies (and GPOs) come into play. Have a read here for some more information: http://technet.microsoft.com/en-us/library/hh994606.aspx
0
 

Author Comment

by:xmouser
ID: 40432958
Michael Wade

Yes it will start that particular program but I think that users will still retain thew ability to start other applications after connection. This one application is the only thing that can run.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 2

Expert Comment

by:Michael Wade
ID: 40432977
Actually the way I've done this in the past is through the user's AD properties under ENVIRONMENT. If you specify the program at logon, the user's session will be disconnected if they close that program.

The GPO linked should terminate as well, but I prefer using RDP application delivery nowadays since it appears to the user that the application is installed on their PC.

The AD user environment properties is probably the easiest way to accomplish this for a one-off user.
0
 

Author Comment

by:xmouser
ID: 40433044
Michael Wade

I'll check, thanks.
0
 
LVL 1

Assisted Solution

by:Bradley Vonderheide
Bradley Vonderheide earned 150 total points
ID: 40433709
Mouser,
There are some programs that will not work this way.. while i agree with most everyone on here, there are ways to configure environmental variables in AD, using Group Policy, there are times when software requires certain access to area's of the system, as well as different folder, where it would be a nightmare to set this up in a large company. Those are the ones i typically create a RDS client running on the server with multiple clones running the same username to work around having to go through hoops to fix.

Another thing,
is while you can lock down everything and anything..
I would strongly suggest you run all your changes in a test environment prior to changing anything in the corp environment, as there are some changes that as an admin read one way, the change can cause head-aches that are far worse.. (or create a Test OU and put only one or two participants into that group to test with)

Best of luck sir..
0
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40436489
I have not tried this in a TS/RDS environment, but locally you can restrict users to only running specified programs.  One catch, if the program you run launches other programs also, you have to know the name of each of those executables also.

You can use Computer Configuration > Policies > Administrative Templates > System > Run only specified Windows applications.  Set this to enabled, then click the 'Show...' button and enter the names of the executable program(s) you want the user to be able to run.  If you want to restrict this only to the specific user logging in, then use the same policy, but under User Configuration instead of Computer Configuration.

Hope this helps.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now