Re: Restrict to 1 program
No, I would *not* apply the policy to the whole domain.
Create a separate OU, called something like TermServers, move the
Terminal Server computer account in this OU and link the policy to
this OU.
Then follow the steps from my first post.
You have to make it a User Configuration setting, because you
cannot filter Computer Configuration settings by user group. Those
settings are applied to the TS, irrespective of who logs on, at
boot time of the server.
And because it is a User setting, you *must* use loopbnack
processing.
The effect of loopback processing isn't so hard to understand.
With normal policy processing, when a user logs on to a computer
(workstation, or TS), 2 policies are applied: the Computer
Configuration settings from the GPO linked to OU where the computer
is located and the User Configuration settings from the OU where
the user account is located.
So without loopback processing, you would have to define the
starting application in a GPO linked to the Users OU. But then it
would attempt to start even when they logon to the workstation, and
failing to do that, they would be logged off again.
To change this normal way of policy processing, you use the
loopback setting. It simply tells the system to apply both the
Computer and the User Configuration settings from the GPO which is
linked to the OU which contains the computer account (the TS
account), irrespective of where the user account is located. That's
the only way to make sure that the GPO is applied to all users of
the TS, and *only* when they logon to the TS.
When you are in the GPeditor, don't forget to check the "Explian"
tab for every setting that you would like to configure. It contains
very useful information about what happens when you configure a
setting.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting:
http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
"Joe Letter" <nojunk@nojunk.com> wrote on 09 jan 2008 in
microsoft.public.windows.terminal_services:
> Vera,
> Thanks for being patient with me. I've spent sometime
> researching
> gpo's and am getting to understand them better. Thanks for the
> info.
>
> So, now my question is : Can I create the policy, apply
> it to the
> entire domain, set the filtering to
> include termserver and authenticated users, then under
> delegation check deny for apply policy for domain admins? Do I
> need to set the policy change in the computer configuration or
> the user configuration, or both? When do I know to set it in
> computer or user? Can I just set it in both if I am in doubt?
> I know you mentioned loopbacking in the first email to me.. that
> concept is still foreign at this point to me.. can I get around
> using it?
>
> Thanks!
> Joe.
>
>
>
> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
> in message
> news:Xns9A1EDB4A77433veranoesthemutforsse@207.46.248.16...
>> No, you can't apply GPOs to the local policy.
>> You can link a GPO to a site, or a domain, or an OU, and it
>> will be applied to the objects in that site, domain, or OU (in
>> that order). GPOs defined this way will always override the
>> local policy (which comes last in the hierarchy). So the local
>> policy settings will only be effective in the absence of a GPO
>> (or a setting of "Undefined" in the GPO).
>>
>> Yes, you can connect with mstsc / console and the initial
>> program will not run. Just tested with notepad.exe as initial
>> program defined in the Environment tab of tscc.msc, and it
>> doesn't run in the console session, but does in all normal
>> sessions.
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> "Joe Letter" <nojunk@nojunk.com> wrote on 07 jan 2008 in
>> microsoft.public.windows.terminal_services:
>>
>>> Vera,
>>> Wow, great . Thanks for the info. I will look into
>>> learning more
>>> about gpo's. I think I read somewhere on my last google
>>> search that you can just apply a gpo to the local security
>>> policy on a ts server... I might look back at that. Thanks
>>> again for all the advice.
>>>
>>> If I were to try to change these setting remotely (gpo changes
>>> maybe too) and I lock myself out, I can always do a mstsc
>>> -v:servername /console to get in right?
>>>
>>> Thanks a ton!
>>> -Joe.
>>>
>>>
>>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>
>>> wrote in message
>>> news:Xns9A1BE08D3752Averanoesthemutforsse@207.46.248.16...
>>>> 1. Yes.
>>>> 2. Depends on to which OU you link the GPO. You would link
>>>> this GPO to the OU which contains the TS account, so that it
>>>> would only apply to the TS. But let's forget about GPOs for
>>>> now. 3. Sure. On the Terminal Server, go to Start menu -
>>>> Administrative tools - Terminal Server Configuration -
>>>> double-click rdp-tcp connection - it's in one of the tabs
>>>> there, I believe it's called session settings, but can't
>>>> check at the moment. The disadvantage with doing it on the
>>>> server itself is that it will apply to everyone, and that
>>>> includes Administrators. With GPO's you can use security
>>>> filtering to only apply such settings to specific user
>>>> groups. The only way for you as Administrator to connect to
>>>> the server and not run the starting application is when you
>>>> connect to the console session, with mstc 7console. But that
>>>> leaves you with just one session. If that gets disconnected
>>>> and you can't reconnect, you're out of luck. 4. Try to find
>>>> some time to read up on GPO's! It will save you time in the
>>>> long run, and you will be able to do things that you can't do
>>>> properly in any other way.
>>>> _________________________________________________________
>>>> Vera Noest
>>>> MCSE, CCEA, Microsoft MVP - Terminal Server
>>>> TS troubleshooting: http://ts.veranoest.net
>>>> ___ please respond in newsgroup, NOT by private email ___
>>>>
>>>> "Joe Letter" <nojunk@nojunk.com> wrote on 04 jan 2008 in
>>>> microsoft.public.windows.terminal_services:
>>>>
>>>>> Thanks for your help.
>>>>>
>>>>> I have a few followup questions:
>>>>>
>>>>> 1. Will this have the affect of only 1 program opening and
>>>>> ts automatically quitting if they close that app?
>>>>> 2. will this apply to the domain or just the one server? I
>>>>> would want it to apply to just the one server.
>>>>> 3. If I didn't want to use a group policy, is there another
>>>>> way?
>>>>> I just am not very familiar with GP's
>>>>>
>>>>> Thanks again a million,
>>>>> joe
>>>>>
>>>>>
>>>>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>
>>>>> wrote in message
>>>>> news:Xns9A1592839F598veranoesthemutforsse@207.46.248.16...
>>>>>> You can define the Starting Application in several ways.
>>>>>> Easiest is to do this in a Group Policy. You'll find the
>>>>>> setting here:
>>>>>>
>>>>>> User Configuration - Administrative templates - Windows
>>>>>> Components - Terminal Services
>>>>>> "Start a program on connection"
>>>>>>
>>>>>> Since this is a User Configuration setting, you'll also
>>>>>> need to configure loopback processing of the GPO:
>>>>>>
>>>>>> Computer Configuration - Administrative Templates - System
>>>>>> - Group Policy
>>>>>> "User Group Policy loopback processing mode" - "Replace"
>>>>>>
>>>>>> And then use security filtering of the GPO to make sure
>>>>>> that it doesn't apply to Administrators:
>>>>>>
>>>>>> 816100 - How To Prevent Domain Group Policies from Applying
>>>>>> to Administrator Accounts and Selected Users in Windows
>>>>>> Server 2003 http://support.microsoft.com/?kbid=816100
>>>>>> _________________________________________________________
>>>>>> Vera Noest
>>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server
>>>>>> TS troubleshooting: http://ts.veranoest.net
>>>>>> ___ please respond in newsgroup, NOT by private email ___
>>>>>>
>>>>>> "Joe Letter" <nojunk@nojunk.com> wrote on 29 dec 2007 in
>>>>>> microsoft.public.windows.terminal_services:
>>>>>>
>>>>>>> Hello,
>>>>>>> I have a win2k3 server setup as a terminal
>>>>>>> server. I have one
>>>>>>> application I would like the users to have access to.
>>>>>>> I've heard that it is possible to restrict TS so that an
>>>>>>> application starts automatically when the users login.
>>>>>>> They only have access to that program during the session
>>>>>>> and if they close the program, the TS session ends.
>>>>>>> How can this be done? Is there something step-by-step I
>>>>>>> could follow? Also, how can the be done so that I can
>>>>>>> still login remotely with the admin account and not have
>>>>>>> this restriction on my account.
>>>>>>>
>>>>>>>
>>>>>>> Thanks much!
>>>>>>> Joe. 