Solved

GPO Lockdown

Posted on 2014-11-10
7
126 Views
Last Modified: 2014-11-12
I'm looking to lock down a desktop so that only one application can be run. The user will RDP in and then start this single application. I'm thinking that a GPO would accomplish this. Is it possible?

Server 2008 R2, Windows 7
0
Comment
Question by:xmouser
7 Comments
 
LVL 2

Accepted Solution

by:
Michael Wade earned 350 total points
ID: 40432777
Yes.

Computer Configuration, Administrative Templates, Windows Components, Terminal Services, double-click the Start a program on connection setting, and then click Enabled.

http://technet.microsoft.com/en-us/library/cc736643%28v=ws.10%29.aspx
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40432924
Deploy a custom RDP file to the user. Create the RDP file on the Windows 7 machine they will be using, modify the settings as desired (screen resolution, enable/disable device redirection.

The Programs tab is what you'll be most interested in > specify the path to the program's executable > go back to the General tab > Save As > save the file to your Desktop with your desired filename > zip up the file > send to the user.

This will launch the program (and nothing else) whenever the user connects to the Windows 7 machine using this icon. There is nothing that will stop him from using the Remote Desktop Connection client on his PC though, which will grant him access to the full desktop. This is where Software Restriction Policies (and GPOs) come into play. Have a read here for some more information: http://technet.microsoft.com/en-us/library/hh994606.aspx
0
 

Author Comment

by:xmouser
ID: 40432958
Michael Wade

Yes it will start that particular program but I think that users will still retain thew ability to start other applications after connection. This one application is the only thing that can run.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 2

Expert Comment

by:Michael Wade
ID: 40432977
Actually the way I've done this in the past is through the user's AD properties under ENVIRONMENT. If you specify the program at logon, the user's session will be disconnected if they close that program.

The GPO linked should terminate as well, but I prefer using RDP application delivery nowadays since it appears to the user that the application is installed on their PC.

The AD user environment properties is probably the easiest way to accomplish this for a one-off user.
0
 

Author Comment

by:xmouser
ID: 40433044
Michael Wade

I'll check, thanks.
0
 
LVL 1

Assisted Solution

by:Bradley Vonderheide
Bradley Vonderheide earned 150 total points
ID: 40433709
Mouser,
There are some programs that will not work this way.. while i agree with most everyone on here, there are ways to configure environmental variables in AD, using Group Policy, there are times when software requires certain access to area's of the system, as well as different folder, where it would be a nightmare to set this up in a large company. Those are the ones i typically create a RDS client running on the server with multiple clones running the same username to work around having to go through hoops to fix.

Another thing,
is while you can lock down everything and anything..
I would strongly suggest you run all your changes in a test environment prior to changing anything in the corp environment, as there are some changes that as an admin read one way, the change can cause head-aches that are far worse.. (or create a Test OU and put only one or two participants into that group to test with)

Best of luck sir..
0
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40436489
I have not tried this in a TS/RDS environment, but locally you can restrict users to only running specified programs.  One catch, if the program you run launches other programs also, you have to know the name of each of those executables also.

You can use Computer Configuration > Policies > Administrative Templates > System > Run only specified Windows applications.  Set this to enabled, then click the 'Show...' button and enter the names of the executable program(s) you want the user to be able to run.  If you want to restrict this only to the specific user logging in, then use the same policy, but under User Configuration instead of Computer Configuration.

Hope this helps.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question