[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

GPO Lockdown

Posted on 2014-11-10
7
Medium Priority
?
150 Views
Last Modified: 2014-11-12
I'm looking to lock down a desktop so that only one application can be run. The user will RDP in and then start this single application. I'm thinking that a GPO would accomplish this. Is it possible?

Server 2008 R2, Windows 7
0
Comment
Question by:xmouser
7 Comments
 
LVL 2

Accepted Solution

by:
Michael Wade earned 1400 total points
ID: 40432777
Yes.

Computer Configuration, Administrative Templates, Windows Components, Terminal Services, double-click the Start a program on connection setting, and then click Enabled.

http://technet.microsoft.com/en-us/library/cc736643%28v=ws.10%29.aspx
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40432924
Deploy a custom RDP file to the user. Create the RDP file on the Windows 7 machine they will be using, modify the settings as desired (screen resolution, enable/disable device redirection.

The Programs tab is what you'll be most interested in > specify the path to the program's executable > go back to the General tab > Save As > save the file to your Desktop with your desired filename > zip up the file > send to the user.

This will launch the program (and nothing else) whenever the user connects to the Windows 7 machine using this icon. There is nothing that will stop him from using the Remote Desktop Connection client on his PC though, which will grant him access to the full desktop. This is where Software Restriction Policies (and GPOs) come into play. Have a read here for some more information: http://technet.microsoft.com/en-us/library/hh994606.aspx
0
 

Author Comment

by:xmouser
ID: 40432958
Michael Wade

Yes it will start that particular program but I think that users will still retain thew ability to start other applications after connection. This one application is the only thing that can run.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 2

Expert Comment

by:Michael Wade
ID: 40432977
Actually the way I've done this in the past is through the user's AD properties under ENVIRONMENT. If you specify the program at logon, the user's session will be disconnected if they close that program.

The GPO linked should terminate as well, but I prefer using RDP application delivery nowadays since it appears to the user that the application is installed on their PC.

The AD user environment properties is probably the easiest way to accomplish this for a one-off user.
0
 

Author Comment

by:xmouser
ID: 40433044
Michael Wade

I'll check, thanks.
0
 
LVL 1

Assisted Solution

by:Bradley Vonderheide
Bradley Vonderheide earned 600 total points
ID: 40433709
Mouser,
There are some programs that will not work this way.. while i agree with most everyone on here, there are ways to configure environmental variables in AD, using Group Policy, there are times when software requires certain access to area's of the system, as well as different folder, where it would be a nightmare to set this up in a large company. Those are the ones i typically create a RDS client running on the server with multiple clones running the same username to work around having to go through hoops to fix.

Another thing,
is while you can lock down everything and anything..
I would strongly suggest you run all your changes in a test environment prior to changing anything in the corp environment, as there are some changes that as an admin read one way, the change can cause head-aches that are far worse.. (or create a Test OU and put only one or two participants into that group to test with)

Best of luck sir..
0
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40436489
I have not tried this in a TS/RDS environment, but locally you can restrict users to only running specified programs.  One catch, if the program you run launches other programs also, you have to know the name of each of those executables also.

You can use Computer Configuration > Policies > Administrative Templates > System > Run only specified Windows applications.  Set this to enabled, then click the 'Show...' button and enter the names of the executable program(s) you want the user to be able to run.  If you want to restrict this only to the specific user logging in, then use the same policy, but under User Configuration instead of Computer Configuration.

Hope this helps.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Suggested Courses

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question