RDP and run only one application

E-E,
We have a need to use the Windows 7 RDP feature to allow one of our field managers to remote into one of our production PCs to use  only one of the applications.
> We only want to allow access to the "one" app.
> The Production PC is running Windows 7 Pro/64 bit SP1.

I have attempted to use "gpedit.msc" to set the "Remote Session Environment"  (Currently I am testing with the "Notepad.exe" program)
> The full path to the gpedit setting is: User Configuration => Administrative Templates => Remote Desktop Services => Remote Desktop Session Host => Remote Session Environment
> When testing if Notepad comes up when I RDP into the box = Fails, acts as if nothing was changed.
> I also noted that when attempting the set the "session disconnected" and 'idle session" limits, these did not work either.

I played around with the "gpedit - Computer Configuration" and the registray "Terminal Services" setting, only to lock up my test PC and having to re-install Windows 7 to recover.

I know there must be a way to do this and it appars that something within Windows 7 Pro that is preventing this from working...

Could use some suggestions here, anyone done this before, or have any input?

Rojosho.
Gpedit-screen-shot-1.docx
LVL 7
RojoshoRTCC-III Level-2 SupportAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KimputerIT ManagerCommented:
You can use gpedit.msc as before, but then use Computer Configuration > Windows Settings > Security Settings  > Software Restriction Policy


Security Levels > Disallowed.as default
Additional rule > New Path Rule > Point to the only executable allowed, set to Unrestricted.
Because this is quite restrictive, you can't even administer this PC anymore as admin, so with Enforcement, set the middle section to All Users except Local administrators.

Please reboot to have the rules work.
RojoshoRTCC-III Level-2 SupportAuthor Commented:
Kimputer,

Thank you for your input.  I had attempted similar changes, and as noted, I "locked" myself out and had to  reinstall the OS - Which is OK for my test PC, but will not do for our production unit.

In reading more internet content, it appears that between Windows XP and Windows 7, something changed and made a pretty straight forward process become either very complicated or difficult to use.

Hopefully there is a way to have both worlds... Restricted RDP use AND ability to admin the PC.

Again thank you,

Rojosho
KimputerIT ManagerCommented:
As I said, if you follow my steps, you will have the result you need. Please note a reinstall of the OS is NOT necessary.
A simple system restore point is more than enough. If you don't trust that, just have a bootable CD/DVD/USB ready loaded with your fav imaging tool (Paragon, TrueImage etc). Make a full sytem image before you start. If something doesn't go correctly as you wish, restore the image.
John TsioumprisSoftware & Systems EngineerCommented:
There is always the option of using RemoteApp fir this single application while making RDP inaccessible..(logoff)
McKnifeCommented:
Rojosho, the GPO description suggests, that you need to type the full path to the executable, do that.

Could you please add, why you want this?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.