We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Windows Server 2016 - Cannot start a program automatically when logging in via Remote Desktop RDP. HELP!

High Priority
29 Views
Last Modified: 2020-05-16
We have a Windows 2016 Server Standard. We have installed Remote Desktop Services on that server. Server is not connected to a domain.
We are trying to get remote users to login and have access to a single program without having access to the desktop.
In past versions (Windows 2012 and previous versions) we were able to add the program using the user properties > Environment > Starting Program option which works great.
However in this version of Windows, it does not work.
If I force the program in Group Policy Editor it works however we do not want every user to open the same programs automatically.

Has anyone had this issue and how can we resolve it?
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Without being domain joined, I recommend to use Kim Knight's free tool RaWeb:  http://www.kimknight.net/raweb
That would allow users to visit a website and start applications from there.
Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT

Commented:
If you create a hidden share (the share name has a dollar sign ($) at the end of it), and set permissions to "Everyone, Read", anyone should be able to run the application from the share, but no one should be able to find the share by accident.

Author

Commented:
Thanks for the feedback. However each user opens their own application located on their user account and we need to make sure that users can open the application and nothing else and not have access to desktop.
when they log in app opens and when they close the app, the connection logs them off.
This works perfectly in previous versions of Windows Server but doesn’t seem to work in 2016... I suspect there’s some registry tweak to enable it.
Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT

Commented:
" each user opens their own application located on their user account"
I presume you mean each user has a shortcut to the application.  That wouldn't have to change under my suggestion.

Alternately - since the GPO route works for you - you could create a Group in AD, add the people who need this application to that Group, then give that Group permissions to have that GPO apply to them.  Then they'll be the only users with that GPO.

Author

Commented:
Hi Paul,
To be more specific, it’s an MS Access Application connected to SQL Server backend.
Each user has the Front End App located on their User account. not a shortcut.
And your solutions will allow users access to the desktop which is what we want to avoid.
we’ve been using this option since Windows 2003 and worked fine for our clients. Now, the option is there to start exclusively an application of our choice but when we connect it just goes to the desktop.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Not many applications will be startable from a shared folder.

Ok, since you seem to see security problems: be aware that the way you used to do it wasn't secure. At least not in your terms, since any application with an Open-File-Interface would have allowed to "break out".
If you want it perfectly locked down, combine my suggestion with Applocker.

Author

Commented:
Hi McKnife,
Thanks for your suggestion but the application our customers use have modules designed for automatic printer redirection, remote access to devices like webcam and uses RDP to transfer files.
it would take an extensive revamp of the app to make it work in a web environment.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You misunderstood what I offer. That is no web environment, nor will you have to change the app. It's a remoteapp, offered on an intranet site.
Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT

Commented:
" Remoteapp"
I think this is what's going on, too.  Sorry it took me so long to realize it!

Author

Commented:
Is this a Windows 2016 issue?
all other previous Windows Server OS worked perfectly.
CERTIFIED EXPERT

Commented:
can you try Programs Tab in the RDP client?
also you could set the
alternate shell:s:value
in a RDP file, to specify the program to use a shell instead of explorer, that would effectively close the connection upon closing the app

Author

Commented:
Hi Arana,

it would be an option but then the client can modify it or make changes. not very secure.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I find it hard to help you at the moment.
You have not yet described what you configured in order to start a specific program without going to the desktop.
My alternative is also ignored by you although you'd be able to set it up in 10 minutes.
And lastly, when I told you "be aware that the way you used to do it wasn't secure. At least not in your terms, since any application with an Open-File-Interface would have allowed to "break out".", you didn't even care to comment on that.
Hi McKnife,

Before answering I wanted to take the time to look at your proposed solution. Although it does have merit, it is an alternate solution do what my problem is. I am looking to have a feature that was working before in MS Windows Server OSs and that doesn't work anymore in 2016.

After much searching I figured out a way to get it working. Using GPO, I created Group Policies for Non Administrators and under Remote Desktop Environment > Start a Program I entered the path of the program to run.

Because each user opens their own application, I also created Environment Variables that could be used to point to the location for each user.

As for "security", the RD is only accessible via VPN and we use RDS-Knight to protect from RDP protocol shortcomings. If there is something I'm missing, please let me know.

Cheers

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
" I am looking to have a feature that was working before in MS Windows Server OSs and that doesn't work anymore in 2016 " - ...and I tried to convince you not to use this feature anymore, because it allows access to the desktop after all, which is want you want to avoid.
Please verify it. Logon via RDP. Now press together CTRL ALT and End / it will bring up the selection to open for example task manager. WIthin task manager, the user may start programs like explorer.exe and the normal desktop will become visible as soon as explorer.exe is running. You could of course disallow the usage of task manager, but there is more trouble ahead: if you program, like most programs, has an open/save dialogue, that may be abused as well to navigate through the file system and start whatever program one likes to start - including explorer.exe, bringing up the desktop again.

So my suggestion should be considered: use applocker. Why I wanted to make you aware of remote apps (RAWeb): it is very convenient to work that way, since it allows seamless usage of remote apps. It's not a clumsy full window (NOT resizable in-session!), but an experience as with any other local app.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.