RDP and run only one application

Rojosho used Ask the Experts™
We have a need to use the Windows 7 RDP feature to allow one of our field managers to remote into one of our production PCs to use  only one of the applications.
> We only want to allow access to the "one" app.
> The Production PC is running Windows 7 Pro/64 bit SP1.

I have attempted to use "gpedit.msc" to set the "Remote Session Environment"  (Currently I am testing with the "Notepad.exe" program)
> The full path to the gpedit setting is: User Configuration => Administrative Templates => Remote Desktop Services => Remote Desktop Session Host => Remote Session Environment
> When testing if Notepad comes up when I RDP into the box = Fails, acts as if nothing was changed.
> I also noted that when attempting the set the "session disconnected" and 'idle session" limits, these did not work either.

I played around with the "gpedit - Computer Configuration" and the registray "Terminal Services" setting, only to lock up my test PC and having to re-install Windows 7 to recover.

I know there must be a way to do this and it appars that something within Windows 7 Pro that is preventing this from working...

Could use some suggestions here, anyone done this before, or have any input?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

You can use gpedit.msc as before, but then use Computer Configuration > Windows Settings > Security Settings  > Software Restriction Policy

Security Levels > Disallowed.as default
Additional rule > New Path Rule > Point to the only executable allowed, set to Unrestricted.
Because this is quite restrictive, you can't even administer this PC anymore as admin, so with Enforcement, set the middle section to All Users except Local administrators.

Please reboot to have the rules work.
RojoshoRTCC-III Level-2 Support



Thank you for your input.  I had attempted similar changes, and as noted, I "locked" myself out and had to  reinstall the OS - Which is OK for my test PC, but will not do for our production unit.

In reading more internet content, it appears that between Windows XP and Windows 7, something changed and made a pretty straight forward process become either very complicated or difficult to use.

Hopefully there is a way to have both worlds... Restricted RDP use AND ability to admin the PC.

Again thank you,


As I said, if you follow my steps, you will have the result you need. Please note a reinstall of the OS is NOT necessary.
A simple system restore point is more than enough. If you don't trust that, just have a bootable CD/DVD/USB ready loaded with your fav imaging tool (Paragon, TrueImage etc). Make a full sytem image before you start. If something doesn't go correctly as you wish, restore the image.
John TsioumprisSoftware & Systems Engineer

There is always the option of using RemoteApp fir this single application while making RDP inaccessible..(logoff)
Distinguished Expert 2018

Rojosho, the GPO description suggests, that you need to type the full path to the executable, do that.

Could you please add, why you want this?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial