Start a program for a specific user-group logging via RDP onto a server

Hi Guys,

I need to Auto start a program in Remote Desktop when a user in a specific group logs onto a server in our domain.
I created a new group policy in GPM (just for our application specific user group)

Location = local domain
Security filtering = My group (The settings in GPO can only apply to the following groups, users, etc)

Editing the policy:

Under Computer Config\Administrative Templates\Windows Components\Remote Desktop Services\Session Host\Remote Session Environment
Start a Program on Connection

* I did the same for User Config also

The auto-starting application did not work until I added the computer (being logged onto) into the Security Filtering list of the group policy.
However, this is creating a problem, as even when Domain Administrator (which is not part of the group) logs on, the application is auto-started.

Any ideas will be appreciated,
Rupert EghardtProgrammerAsked:
Who is Participating?
Shaun VermaakTechnical Specialist/DeveloperCommented:
I would deploy that Program as a Start-Up shortcut (GPO Preferences) and use item level filtering to only apply/or not apply to a specific user group.

See shortcut part of this article

You can also use loopback processing on your policy and then use security filter to a group with apply policy permissions but I don't like that approach
Rupert EghardtProgrammerAuthor Commented:
Thank you Shaun,

We don't want to give users full access to RDP sessions, but only to the application running from the server.
The application uses files which are in a folder on the server.  Thus exe must run from the user session on the server.

Preferably as a user logs on the application should open, when the user logs out, the application should close.
Thus limiting the user only to this application.
This is working fine at the moment, except for the group part, as it is now also limiting an "open" RDP session for Administrator.
Shaun VermaakTechnical Specialist/DeveloperCommented:
Please to the following
Remove the computer settings and leave the user settings for Start a program on connection
Ensure Authenticated Users have read rights to GPO and your targeting group has Application Group Policy rights
Test user by adding to group and first logging of and logging on to the client computer
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

"Preferably as a user logs on the application should open, when the user logs out, the application should close. Thus limiting the user only to this application" - that sounds very much like what RemoteApps are designed for. You can assign an application to certain users so that the normal shell (the complete GUI) is exchanged for the RemoteApp.
Do you know that concept? Every Remote Desktop Host can host RemoteApps - it is easy to setup and a seamless experience.
Rupert EghardtProgrammerAuthor Commented:
Thanks Shaun,

"your targeting group has Application Group Policy rights"
Where do I allocate these rights?
Rupert EghardtProgrammerAuthor Commented:
Thanks McKnife,

I haven't tried setting up the RemoteApps as yet,
Although Remote Desktop Services have been installed, I don't see RemoteApps in Server Manager?
I checked under Roles and Features, but also don't see the option ...

Not sure if it will work with a 3rd party application, which runs from a Batch file?
Well, it's hard to help without even knowing the server OS. Yes, command line options can be passed to the RemoteApp.

Maybe the most simple solution would be to populate the common autostart with a batch that goes
net user %username% /domain | findstr /c:"groupname" || goto end
...your commands here...

Open in new window

Shaun VermaakTechnical Specialist/DeveloperCommented:
Sorry, meant Apply Group Policy rights
Rupert EghardtProgrammerAuthor Commented:
Thanks McKnife,

"your commands here" mean, the commands by which I call the application (batch file)?
Thus with the above suggested command lines, the RemoteApp is setup and ready to publish the application?
The batch lines themselves would go there - the contents of your original batch file. If not in that group, they are skipped (that is what my addition would do - check if in that group, if not, skip the commands).
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.