Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Terminal Services. Restricted Desktop 1

Status
Not open for further replies.
TURNERMICH

TURNERMICH

Technical User
Apr 5, 2000
64
AU
I have a Win2000 Server Setup with Terminal Services.
All users are able to log in correctly, and works fine.

BUT................

I only need the Users to run a Single Program (I have a Shortcut on the Desktop)

I do not wish them to goto START and see all the program, ie. not even say Wordpad.
I also do not wish them to look at directories etc.

IE> Only run this program.!!!

-----------
I have spent quite some time useing Group Polocies, Shareing etc.,, but cannot get the result i need.


Is !! there some way of doing this.

Its important i get this working,,,
would appreciate some help..!$##$%%^

Regards Turrnermich
 
Sort by date Sort by votes
This is the way I would do this.

Create a user group for the users you wish to restrict
Open system policy editor (poledit.exe) and create a new group and a new computer, the group name should match the user group you just created and the computer name should match your terminal server. If your users have access to multiple terminal servers you will need to create multiple computers.

Expand the group and select "Windows NT Shell" and then "Custom Folders" inside this container you will see that there are specific selections for the programs folder desktop startup folder etc etc. If you now create the following directory structure

%Systemroot%\custom
%Systemroot%\custom\programs
%Systemroot%\custom\programs\startup
%Systemroot%\custom\desktop

These will become mandatory profile directories for each group member. When we are done users in the policy group will only see the shortcuts you define here.

Back in policy editor select "Custom Start menu folder" enable it and match the folder path to the path you just created.
Complete this for Desktop and importantly Startup too (If you don't do startup it doesn't work even if it exists below the startmenu folder)

Next scroll down to the "Restrictions container below" "Custom Folders" and check "Remove common program groups from startmenu" This will hide menu items that exist in the All users profile without you having to canibalise it.

Save the policy now as C:\Policy\NTConfig.pol
ensure that admins domain admins and system has "full control" permissions to the directory and give everyone "read and execute" permissions. Don't close the policy yet there is more to change.

Expand each computer container and select "Network" then "System Policies update" then "Remote update"

Check the box and select manual update point the update to the policy file you just saved

Save the policy

Select "File" "Open Registry"

Expand the Local Computer, expand Network and "expand system policies update" and match the settings you just made to terminal server computer object. This forces the local machine to pull it's policy from the file you created. Unless you make changes to the default user profile the policy will only affect the groups/users that you have specified all others will remain normal. IT IS IMPORTANT NOT TO REMOVE THE DEFAULT USER OR DEFAULT COMPUTER ITEMS FROM YOUR POLICY

There are other useful settings you may want explore such as hiding mycomputer contents so users can't browse to programs disabling find/search disabling removing control panel etc etc. One final thing everytime you make a policy change you will need to either reboot (Not practical when you have fifty plus users on the system) or Open the registry in poledit, browse down through Network\System policy update\Remote update and click into the file path. When you OK this it forces a reload into the registry of the policy and prevents the need to reboot. Save the registry and exit poledit and your all done.

That should give you the idea of how to do things if you need me to clarify anything just reply.
Cheers
Chris
 
Upvote 0 Downvote
Chris.
Thanks very much for your detailed help.
I will give it a go today.

Appreciate the time you have given in assisting

Regards Michael
 
Upvote 0 Downvote
if you are using terminal services client you can give in the properties of the client session (client connection manager) the program that must run when opening this session , no other program/icon/... will be shown, and when closing down the program the session also will terminate.
KR

Stanja
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
541
MaioMaio
MaioMaio
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
725
Aquiles Vidal
Aquiles Vidal
DrB0b
  • Locked
  • Question
Terminal Server issues doing anything network related after RDPing into
Replies
3
Views
356
DrB0b
DrB0b
iCDT
  • Locked
  • Question
Remote Desktop Web Access ( No application available)
Replies
2
Views
337
hairlessupportmonkey
hairlessupportmonkey
tviman
  • Locked
  • Question
How to restrict RDP users to the desktop 2
Replies
13
Views
659
strongm
strongm

Part and Inventory Search

Sponsor

Back
Top