Avatar of xmouser
xmouser
Flag for United States of America asked on

GPO Lockdown

I'm looking to lock down a desktop so that only one application can be run. The user will RDP in and then start this single application. I'm thinking that a GPO would accomplish this. Is it possible?

Server 2008 R2, Windows 7
OS SecurityWindows Server 2008Windows 7

Avatar of undefined
Last Comment
Asif Bacchus

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Michael Wade

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
VB ITS

Deploy a custom RDP file to the user. Create the RDP file on the Windows 7 machine they will be using, modify the settings as desired (screen resolution, enable/disable device redirection.

The Programs tab is what you'll be most interested in > specify the path to the program's executable > go back to the General tab > Save As > save the file to your Desktop with your desired filename > zip up the file > send to the user.

This will launch the program (and nothing else) whenever the user connects to the Windows 7 machine using this icon. There is nothing that will stop him from using the Remote Desktop Connection client on his PC though, which will grant him access to the full desktop. This is where Software Restriction Policies (and GPOs) come into play. Have a read here for some more information: http://technet.microsoft.com/en-us/library/hh994606.aspx
xmouser

ASKER
Michael Wade

Yes it will start that particular program but I think that users will still retain thew ability to start other applications after connection. This one application is the only thing that can run.
Michael Wade

Actually the way I've done this in the past is through the user's AD properties under ENVIRONMENT. If you specify the program at logon, the user's session will be disconnected if they close that program.

The GPO linked should terminate as well, but I prefer using RDP application delivery nowadays since it appears to the user that the application is installed on their PC.

The AD user environment properties is probably the easiest way to accomplish this for a one-off user.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
xmouser

ASKER
Michael Wade

I'll check, thanks.
SOLUTION
Bradley Vonderheide

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Asif Bacchus

I have not tried this in a TS/RDS environment, but locally you can restrict users to only running specified programs.  One catch, if the program you run launches other programs also, you have to know the name of each of those executables also.

You can use Computer Configuration > Policies > Administrative Templates > System > Run only specified Windows applications.  Set this to enabled, then click the 'Show...' button and enter the names of the executable program(s) you want the user to be able to run.  If you want to restrict this only to the specific user logging in, then use the same policy, but under User Configuration instead of Computer Configuration.

Hope this helps.