Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

GPO Lockdown

Posted on 2014-11-10
7
Medium Priority
?
142 Views
Last Modified: 2014-11-12
I'm looking to lock down a desktop so that only one application can be run. The user will RDP in and then start this single application. I'm thinking that a GPO would accomplish this. Is it possible?

Server 2008 R2, Windows 7
0
Comment
Question by:xmouser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 2

Accepted Solution

by:
Michael Wade earned 1400 total points
ID: 40432777
Yes.

Computer Configuration, Administrative Templates, Windows Components, Terminal Services, double-click the Start a program on connection setting, and then click Enabled.

http://technet.microsoft.com/en-us/library/cc736643%28v=ws.10%29.aspx
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40432924
Deploy a custom RDP file to the user. Create the RDP file on the Windows 7 machine they will be using, modify the settings as desired (screen resolution, enable/disable device redirection.

The Programs tab is what you'll be most interested in > specify the path to the program's executable > go back to the General tab > Save As > save the file to your Desktop with your desired filename > zip up the file > send to the user.

This will launch the program (and nothing else) whenever the user connects to the Windows 7 machine using this icon. There is nothing that will stop him from using the Remote Desktop Connection client on his PC though, which will grant him access to the full desktop. This is where Software Restriction Policies (and GPOs) come into play. Have a read here for some more information: http://technet.microsoft.com/en-us/library/hh994606.aspx
0
 

Author Comment

by:xmouser
ID: 40432958
Michael Wade

Yes it will start that particular program but I think that users will still retain thew ability to start other applications after connection. This one application is the only thing that can run.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 2

Expert Comment

by:Michael Wade
ID: 40432977
Actually the way I've done this in the past is through the user's AD properties under ENVIRONMENT. If you specify the program at logon, the user's session will be disconnected if they close that program.

The GPO linked should terminate as well, but I prefer using RDP application delivery nowadays since it appears to the user that the application is installed on their PC.

The AD user environment properties is probably the easiest way to accomplish this for a one-off user.
0
 

Author Comment

by:xmouser
ID: 40433044
Michael Wade

I'll check, thanks.
0
 
LVL 1

Assisted Solution

by:Bradley Vonderheide
Bradley Vonderheide earned 600 total points
ID: 40433709
Mouser,
There are some programs that will not work this way.. while i agree with most everyone on here, there are ways to configure environmental variables in AD, using Group Policy, there are times when software requires certain access to area's of the system, as well as different folder, where it would be a nightmare to set this up in a large company. Those are the ones i typically create a RDS client running on the server with multiple clones running the same username to work around having to go through hoops to fix.

Another thing,
is while you can lock down everything and anything..
I would strongly suggest you run all your changes in a test environment prior to changing anything in the corp environment, as there are some changes that as an admin read one way, the change can cause head-aches that are far worse.. (or create a Test OU and put only one or two participants into that group to test with)

Best of luck sir..
0
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40436489
I have not tried this in a TS/RDS environment, but locally you can restrict users to only running specified programs.  One catch, if the program you run launches other programs also, you have to know the name of each of those executables also.

You can use Computer Configuration > Policies > Administrative Templates > System > Run only specified Windows applications.  Set this to enabled, then click the 'Show...' button and enter the names of the executable program(s) you want the user to be able to run.  If you want to restrict this only to the specific user logging in, then use the same policy, but under User Configuration instead of Computer Configuration.

Hope this helps.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question