2008 Questions

[Rob]

I have a couple of questions:

1. I would like to set up an auto login link for terminal services. I have
an app that I want to run but have the server locked down so that only the
app can be run. I know I can set it up in TS Configuration but it prevents me
from logging in under my own credentials for admin purposes. Is there another
way I can set it up? I've also tried saving the credentials in the link but
it doesn't stick. I would love to use RemoteApp but it just isn't feasible at
this time.

2. When logging in with the restricted user, the various 2008 splash screens
come up. Is there a way to eliminate them?

 

[Vera Noest [MVP]]

Re: 2008 Questions

Define the application as the starting application in a Group
Policy, configure loopback processing of the GPO, and then make
sure that Administrators are not affected by the application, by
using security filtering.

User Computer Configuration - Administrative templates - Windows
Components - Terminal Services
"Start a program on connection"

Computer Configuration - Administrative Templates - System - Group
Policy
"User Group Policy loopback processing mode" - "Replace"

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server 2003
http://support.microsoft.com/?kbid=816100
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28 apr
2008 in microsoft.public.windows.terminal_services:

> I have a couple of questions:
>
> 1. I would like to set up an auto login link for terminal
> services. I have an app that I want to run but have the server
> locked down so that only the app can be run. I know I can set it
> up in TS Configuration but it prevents me from logging in under
> my own credentials for admin purposes. Is there another way I
> can set it up? I've also tried saving the credentials in the
> link but it doesn't stick. I would love to use RemoteApp but it
> just isn't feasible at this time.
>
> 2. When logging in with the restricted user, the various 2008
> splash screens come up. Is there a way to eliminate them?

 

[Rob]

Re: 2008 Questions

Will this prevent the taskbar from showing? There are other potential apps
the users might be using and we want them to be able to see the taskbar.

"Vera Noest [MVP]" wrote:

> Define the application as the starting application in a Group
> Policy, configure loopback processing of the GPO, and then make
> sure that Administrators are not affected by the application, by
> using security filtering.
>
> User Computer Configuration - Administrative templates - Windows
> Components - Terminal Services
> "Start a program on connection"
>
> Computer Configuration - Administrative Templates - System - Group
> Policy
> "User Group Policy loopback processing mode" - "Replace"
>
> 231287 - Loopback Processing of Group Policy
> http://support.microsoft.com/?kbid=231287
>
> 816100 - How To Prevent Domain Group Policies from Applying to
> Administrator Accounts and Selected Users in Windows Server 2003
> http://support.microsoft.com/?kbid=816100
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28 apr
> 2008 in microsoft.public.windows.terminal_services:
>
> > I have a couple of questions:
> >
> > 1. I would like to set up an auto login link for terminal
> > services. I have an app that I want to run but have the server
> > locked down so that only the app can be run. I know I can set it
> > up in TS Configuration but it prevents me from logging in under
> > my own credentials for admin purposes. Is there another way I
> > can set it up? I've also tried saving the credentials in the
> > link but it doesn't stick. I would love to use RemoteApp but it
> > just isn't feasible at this time.
> >
> > 2. When logging in with the restricted user, the various 2008
> > splash screens come up. Is there a way to eliminate them?
>

 

[Vera Noest [MVP]]

Re: 2008 Questions

No. You wrote that you wanted the ".. server locked down so that
only the app can be run".
If your users need to run more than a single application, you don't
define a starting application.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28 apr
2008 in microsoft.public.windows.terminal_services:

> Will this prevent the taskbar from showing? There are other
> potential apps the users might be using and we want them to be
> able to see the taskbar.
>
> "Vera Noest [MVP]" wrote:
>
>> Define the application as the starting application in a Group
>> Policy, configure loopback processing of the GPO, and then make
>> sure that Administrators are not affected by the application,
>> by using security filtering.
>>
>> User Computer Configuration - Administrative templates -
>> Windows Components - Terminal Services
>> "Start a program on connection"
>>
>> Computer Configuration - Administrative Templates - System -
>> Group Policy
>> "User Group Policy loopback processing mode" - "Replace"
>>
>> 231287 - Loopback Processing of Group Policy
>> http://support.microsoft.com/?kbid=231287
>>
>> 816100 - How To Prevent Domain Group Policies from Applying to
>> Administrator Accounts and Selected Users in Windows Server
>> 2003 http://support.microsoft.com/?kbid=816100
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28
>> apr 2008 in microsoft.public.windows.terminal_services:
>>
>> > I have a couple of questions:
>> >
>> > 1. I would like to set up an auto login link for terminal
>> > services. I have an app that I want to run but have the
>> > server locked down so that only the app can be run. I know I
>> > can set it up in TS Configuration but it prevents me from
>> > logging in under my own credentials for admin purposes. Is
>> > there another way I can set it up? I've also tried saving the
>> > credentials in the link but it doesn't stick. I would love to
>> > use RemoteApp but it just isn't feasible at this time.
>> >
>> > 2. When logging in with the restricted user, the various 2008
>> > splash screens come up. Is there a way to eliminate them?

 

[Rob]

Re: 2008 Questions

Let me re-phrase. I want my terminal server locked down so users can't poke
around the server, surf the internet, that kind of thing. There are 3
different applications that they could run. I want users to auto login using
a specific user name but I want to be able to remote in as myself for
administration.

"Vera Noest [MVP]" wrote:

> No. You wrote that you wanted the ".. server locked down so that
> only the app can be run".
> If your users need to run more than a single application, you don't
> define a starting application.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28 apr
> 2008 in microsoft.public.windows.terminal_services:
>
> > Will this prevent the taskbar from showing? There are other
> > potential apps the users might be using and we want them to be
> > able to see the taskbar.
> >
> > "Vera Noest [MVP]" wrote:
> >
> >> Define the application as the starting application in a Group
> >> Policy, configure loopback processing of the GPO, and then make
> >> sure that Administrators are not affected by the application,
> >> by using security filtering.
> >>
> >> User Computer Configuration - Administrative templates -
> >> Windows Components - Terminal Services
> >> "Start a program on connection"
> >>
> >> Computer Configuration - Administrative Templates - System -
> >> Group Policy
> >> "User Group Policy loopback processing mode" - "Replace"
> >>
> >> 231287 - Loopback Processing of Group Policy
> >> http://support.microsoft.com/?kbid=231287
> >>
> >> 816100 - How To Prevent Domain Group Policies from Applying to
> >> Administrator Accounts and Selected Users in Windows Server
> >> 2003 http://support.microsoft.com/?kbid=816100
> >> _________________________________________________________
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> TS troubleshooting: http://ts.veranoest.net
> >> ___ please respond in newsgroup, NOT by private email ___
> >>
> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28
> >> apr 2008 in microsoft.public.windows.terminal_services:
> >>
> >> > I have a couple of questions:
> >> >
> >> > 1. I would like to set up an auto login link for terminal
> >> > services. I have an app that I want to run but have the
> >> > server locked down so that only the app can be run. I know I
> >> > can set it up in TS Configuration but it prevents me from
> >> > logging in under my own credentials for admin purposes. Is
> >> > there another way I can set it up? I've also tried saving the
> >> > credentials in the link but it doesn't stick. I would love to
> >> > use RemoteApp but it just isn't feasible at this time.
> >> >
> >> > 2. When logging in with the restricted user, the various 2008
> >> > splash screens come up. Is there a way to eliminate them?
>

 

[Vera Noest [MVP]]

Re: 2008 Questions

OK, now I understand what you want.
I would strongly advice against using a single shared user account
for multiple users (=persons). You will encounter corruption of the
user profile, irratic changes in settings, printers, etc. Search
this newsgroup for "shared account" and you'll find a variety of
problems caused by such a setup.

And it's not going to give you any advantages either, assuming that
all users already have a personal unique user account in the
domain. You still have to use NTFS permissions and a restrictive
GPO to lock the server down, and that job is no different when
locking down for a single account or all user accounts in a
security group.

Here's a good starting point for locking down a TS:

Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdo
wn.mspx

324036 - HOW TO: Use Software Restriction Policies in Windows
Server 2003
http://support.microsoft.com/?kbid=324036

and then use:

816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server 2003
http://support.microsoft.com/?kbid=816100

to prevent locking down administrators.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 29 apr
2008 in microsoft.public.windows.terminal_services:

> Let me re-phrase. I want my terminal server locked down so users
> can't poke around the server, surf the internet, that kind of
> thing. There are 3 different applications that they could run. I
> want users to auto login using a specific user name but I want
> to be able to remote in as myself for administration.
>
> "Vera Noest [MVP]" wrote:
>
>> No. You wrote that you wanted the ".. server locked down so
>> that only the app can be run".
>> If your users need to run more than a single application, you
>> don't define a starting application.
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28
>> apr 2008 in microsoft.public.windows.terminal_services:
>>
>> > Will this prevent the taskbar from showing? There are other
>> > potential apps the users might be using and we want them to
>> > be able to see the taskbar.
>> >
>> > "Vera Noest [MVP]" wrote:
>> >
>> >> Define the application as the starting application in a
>> >> Group Policy, configure loopback processing of the GPO, and
>> >> then make sure that Administrators are not affected by the
>> >> application, by using security filtering.
>> >>
>> >> User Computer Configuration - Administrative templates -
>> >> Windows Components - Terminal Services
>> >> "Start a program on connection"
>> >>
>> >> Computer Configuration - Administrative Templates - System -
>> >> Group Policy
>> >> "User Group Policy loopback processing mode" - "Replace"
>> >>
>> >> 231287 - Loopback Processing of Group Policy
>> >> http://support.microsoft.com/?kbid=231287
>> >>
>> >> 816100 - How To Prevent Domain Group Policies from Applying
>> >> to Administrator Accounts and Selected Users in Windows
>> >> Server 2003 http://support.microsoft.com/?kbid=816100
>> >> _________________________________________________________
>> >> Vera Noest
>> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> TS troubleshooting: http://ts.veranoest.net
>> >> ___ please respond in newsgroup, NOT by private email ___
>> >>
>> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28
>> >> apr 2008 in microsoft.public.windows.terminal_services:
>> >>
>> >> > I have a couple of questions:
>> >> >
>> >> > 1. I would like to set up an auto login link for terminal
>> >> > services. I have an app that I want to run but have the
>> >> > server locked down so that only the app can be run. I know
>> >> > I can set it up in TS Configuration but it prevents me
>> >> > from logging in under my own credentials for admin
>> >> > purposes. Is there another way I can set it up? I've also
>> >> > tried saving the credentials in the link but it doesn't
>> >> > stick. I would love to use RemoteApp but it just isn't
>> >> > feasible at this time.
>> >> >
>> >> > 2. When logging in with the restricted user, the various
>> >> > 2008 splash screens come up. Is there a way to eliminate
>> >> > them?

 

[Rob]

Re: 2008 Questions

I'm not worried about the user profile. I have it locked down to where you
click on teh start button and the only thing that shows is Log Off. I've
disabled the right-click feature. Nobody will be printing. We want the
single share user account because we don't want muliple profiles.

Our users are not tech savvy at all. We want the auto login so no one gets
confused or does anything they shouldn't.

"Vera Noest [MVP]" wrote:

> OK, now I understand what you want.
> I would strongly advice against using a single shared user account
> for multiple users (=persons). You will encounter corruption of the
> user profile, irratic changes in settings, printers, etc. Search
> this newsgroup for "shared account" and you'll find a variety of
> problems caused by such a setup.
>
> And it's not going to give you any advantages either, assuming that
> all users already have a personal unique user account in the
> domain. You still have to use NTFS permissions and a restrictive
> GPO to lock the server down, and that job is no different when
> locking down for a single account or all user accounts in a
> security group.
>
> Here's a good starting point for locking down a TS:
>
> Locking Down Windows Server 2003 Terminal Server Sessions
> http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdo
> wn.mspx
>
> 324036 - HOW TO: Use Software Restriction Policies in Windows
> Server 2003
> http://support.microsoft.com/?kbid=324036
>
> and then use:
>
> 816100 - How To Prevent Domain Group Policies from Applying to
> Administrator Accounts and Selected Users in Windows Server 2003
> http://support.microsoft.com/?kbid=816100
>
> to prevent locking down administrators.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 29 apr
> 2008 in microsoft.public.windows.terminal_services:
>
> > Let me re-phrase. I want my terminal server locked down so users
> > can't poke around the server, surf the internet, that kind of
> > thing. There are 3 different applications that they could run. I
> > want users to auto login using a specific user name but I want
> > to be able to remote in as myself for administration.
> >
> > "Vera Noest [MVP]" wrote:
> >
> >> No. You wrote that you wanted the ".. server locked down so
> >> that only the app can be run".
> >> If your users need to run more than a single application, you
> >> don't define a starting application.
> >> _________________________________________________________
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> TS troubleshooting: http://ts.veranoest.net
> >> ___ please respond in newsgroup, NOT by private email ___
> >>
> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28
> >> apr 2008 in microsoft.public.windows.terminal_services:
> >>
> >> > Will this prevent the taskbar from showing? There are other
> >> > potential apps the users might be using and we want them to
> >> > be able to see the taskbar.
> >> >
> >> > "Vera Noest [MVP]" wrote:
> >> >
> >> >> Define the application as the starting application in a
> >> >> Group Policy, configure loopback processing of the GPO, and
> >> >> then make sure that Administrators are not affected by the
> >> >> application, by using security filtering.
> >> >>
> >> >> User Computer Configuration - Administrative templates -
> >> >> Windows Components - Terminal Services
> >> >> "Start a program on connection"
> >> >>
> >> >> Computer Configuration - Administrative Templates - System -
> >> >> Group Policy
> >> >> "User Group Policy loopback processing mode" - "Replace"
> >> >>
> >> >> 231287 - Loopback Processing of Group Policy
> >> >> http://support.microsoft.com/?kbid=231287
> >> >>
> >> >> 816100 - How To Prevent Domain Group Policies from Applying
> >> >> to Administrator Accounts and Selected Users in Windows
> >> >> Server 2003 http://support.microsoft.com/?kbid=816100
> >> >> _________________________________________________________
> >> >> Vera Noest
> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> >> TS troubleshooting: http://ts.veranoest.net
> >> >> ___ please respond in newsgroup, NOT by private email ___
> >> >>
> >> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28
> >> >> apr 2008 in microsoft.public.windows.terminal_services:
> >> >>
> >> >> > I have a couple of questions:
> >> >> >
> >> >> > 1. I would like to set up an auto login link for terminal
> >> >> > services. I have an app that I want to run but have the
> >> >> > server locked down so that only the app can be run. I know
> >> >> > I can set it up in TS Configuration but it prevents me
> >> >> > from logging in under my own credentials for admin
> >> >> > purposes. Is there another way I can set it up? I've also
> >> >> > tried saving the credentials in the link but it doesn't
> >> >> > stick. I would love to use RemoteApp but it just isn't
> >> >> > feasible at this time.
> >> >> >
> >> >> > 2. When logging in with the restricted user, the various
> >> >> > 2008 splash screens come up. Is there a way to eliminate
> >> >> > them?
>

 

[Vera Noest [MVP]]

Re: 2008 Questions

Nonetheless, the profile *will* be corrupted, unless you make it
read-only ( = mandatory).

I do not know of a method to enforce logon to the TS with a pre-
defined user account, other than in Terminal Services
Configuration. And that will apply to Administrators as well.


_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 29 apr
2008 in microsoft.public.windows.terminal_services:

> I'm not worried about the user profile. I have it locked down to
> where you click on teh start button and the only thing that
> shows is Log Off. I've disabled the right-click feature. Nobody
> will be printing. We want the single share user account because
> we don't want muliple profiles.
>
> Our users are not tech savvy at all. We want the auto login so
> no one gets confused or does anything they shouldn't.
>
> "Vera Noest [MVP]" wrote:
>
>> OK, now I understand what you want.
>> I would strongly advice against using a single shared user
>> account for multiple users (=persons). You will encounter
>> corruption of the user profile, irratic changes in settings,
>> printers, etc. Search this newsgroup for "shared account" and
>> you'll find a variety of problems caused by such a setup.
>>
>> And it's not going to give you any advantages either, assuming
>> that all users already have a personal unique user account in
>> the domain. You still have to use NTFS permissions and a
>> restrictive GPO to lock the server down, and that job is no
>> different when locking down for a single account or all user
>> accounts in a security group.
>>
>> Here's a good starting point for locking down a TS:
>>
>> Locking Down Windows Server 2003 Terminal Server Sessions
>> http://www.microsoft.com/windowsserver2003/techinfo/overview/loc
>> kdo wn.mspx
>>
>> 324036 - HOW TO: Use Software Restriction Policies in Windows
>> Server 2003
>> http://support.microsoft.com/?kbid=324036
>>
>> and then use:
>>
>> 816100 - How To Prevent Domain Group Policies from Applying to
>> Administrator Accounts and Selected Users in Windows Server
>> 2003 http://support.microsoft.com/?kbid=816100
>>
>> to prevent locking down administrators.
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 29
>> apr 2008 in microsoft.public.windows.terminal_services:
>>
>> > Let me re-phrase. I want my terminal server locked down so
>> > users can't poke around the server, surf the internet, that
>> > kind of thing. There are 3 different applications that they
>> > could run. I want users to auto login using a specific user
>> > name but I want to be able to remote in as myself for
>> > administration.
>> >
>> > "Vera Noest [MVP]" wrote:
>> >
>> >> No. You wrote that you wanted the ".. server locked down so
>> >> that only the app can be run".
>> >> If your users need to run more than a single application,
>> >> you don't define a starting application.
>> >> _________________________________________________________
>> >> Vera Noest
>> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> TS troubleshooting: http://ts.veranoest.net
>> >> ___ please respond in newsgroup, NOT by private email ___
>> >>
>> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28
>> >> apr 2008 in microsoft.public.windows.terminal_services:
>> >>
>> >> > Will this prevent the taskbar from showing? There are
>> >> > other potential apps the users might be using and we want
>> >> > them to be able to see the taskbar.
>> >> >
>> >> > "Vera Noest [MVP]" wrote:
>> >> >
>> >> >> Define the application as the starting application in a
>> >> >> Group Policy, configure loopback processing of the GPO,
>> >> >> and then make sure that Administrators are not affected
>> >> >> by the application, by using security filtering.
>> >> >>
>> >> >> User Computer Configuration - Administrative templates -
>> >> >> Windows Components - Terminal Services
>> >> >> "Start a program on connection"
>> >> >>
>> >> >> Computer Configuration - Administrative Templates -
>> >> >> System - Group Policy
>> >> >> "User Group Policy loopback processing mode" - "Replace"
>> >> >>
>> >> >> 231287 - Loopback Processing of Group Policy
>> >> >> http://support.microsoft.com/?kbid=231287
>> >> >>
>> >> >> 816100 - How To Prevent Domain Group Policies from
>> >> >> Applying to Administrator Accounts and Selected Users in
>> >> >> Windows Server 2003
>> >> >> http://support.microsoft.com/?kbid=816100
>> >> >> _________________________________________________________
>> >> >> Vera Noest
>> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> >> TS troubleshooting: http://ts.veranoest.net
>> >> >> ___ please respond in newsgroup, NOT by private email ___
>> >> >>
>> >> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on
>> >> >> 28 apr 2008 in
>> >> >> microsoft.public.windows.terminal_services:
>> >> >>
>> >> >> > I have a couple of questions:
>> >> >> >
>> >> >> > 1. I would like to set up an auto login link for
>> >> >> > terminal services. I have an app that I want to run but
>> >> >> > have the server locked down so that only the app can be
>> >> >> > run. I know I can set it up in TS Configuration but it
>> >> >> > prevents me from logging in under my own credentials
>> >> >> > for admin purposes. Is there another way I can set it
>> >> >> > up? I've also tried saving the credentials in the link
>> >> >> > but it doesn't stick. I would love to use RemoteApp but
>> >> >> > it just isn't feasible at this time.
>> >> >> >
>> >> >> > 2. When logging in with the restricted user, the
>> >> >> > various 2008 splash screens come up. Is there a way to
>> >> >> > eliminate them?

 

[Rob]

Re: 2008 Questions

Rats!

Thanks for your help. I'll just have to figure something else out.

"Vera Noest [MVP]" wrote:

> Nonetheless, the profile *will* be corrupted, unless you make it
> read-only ( = mandatory).
>
> I do not know of a method to enforce logon to the TS with a pre-
> defined user account, other than in Terminal Services
> Configuration. And that will apply to Administrators as well.
>
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 29 apr
> 2008 in microsoft.public.windows.terminal_services:
>
> > I'm not worried about the user profile. I have it locked down to
> > where you click on teh start button and the only thing that
> > shows is Log Off. I've disabled the right-click feature. Nobody
> > will be printing. We want the single share user account because
> > we don't want muliple profiles.
> >
> > Our users are not tech savvy at all. We want the auto login so
> > no one gets confused or does anything they shouldn't.
> >
> > "Vera Noest [MVP]" wrote:
> >
> >> OK, now I understand what you want.
> >> I would strongly advice against using a single shared user
> >> account for multiple users (=persons). You will encounter
> >> corruption of the user profile, irratic changes in settings,
> >> printers, etc. Search this newsgroup for "shared account" and
> >> you'll find a variety of problems caused by such a setup.
> >>
> >> And it's not going to give you any advantages either, assuming
> >> that all users already have a personal unique user account in
> >> the domain. You still have to use NTFS permissions and a
> >> restrictive GPO to lock the server down, and that job is no
> >> different when locking down for a single account or all user
> >> accounts in a security group.
> >>
> >> Here's a good starting point for locking down a TS:
> >>
> >> Locking Down Windows Server 2003 Terminal Server Sessions
> >> http://www.microsoft.com/windowsserver2003/techinfo/overview/loc
> >> kdo wn.mspx
> >>
> >> 324036 - HOW TO: Use Software Restriction Policies in Windows
> >> Server 2003
> >> http://support.microsoft.com/?kbid=324036
> >>
> >> and then use:
> >>
> >> 816100 - How To Prevent Domain Group Policies from Applying to
> >> Administrator Accounts and Selected Users in Windows Server
> >> 2003 http://support.microsoft.com/?kbid=816100
> >>
> >> to prevent locking down administrators.
> >> _________________________________________________________
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> TS troubleshooting: http://ts.veranoest.net
> >> ___ please respond in newsgroup, NOT by private email ___
> >>
> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 29
> >> apr 2008 in microsoft.public.windows.terminal_services:
> >>
> >> > Let me re-phrase. I want my terminal server locked down so
> >> > users can't poke around the server, surf the internet, that
> >> > kind of thing. There are 3 different applications that they
> >> > could run. I want users to auto login using a specific user
> >> > name but I want to be able to remote in as myself for
> >> > administration.
> >> >
> >> > "Vera Noest [MVP]" wrote:
> >> >
> >> >> No. You wrote that you wanted the ".. server locked down so
> >> >> that only the app can be run".
> >> >> If your users need to run more than a single application,
> >> >> you don't define a starting application.
> >> >> _________________________________________________________
> >> >> Vera Noest
> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> >> TS troubleshooting: http://ts.veranoest.net
> >> >> ___ please respond in newsgroup, NOT by private email ___
> >> >>
> >> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on 28
> >> >> apr 2008 in microsoft.public.windows.terminal_services:
> >> >>
> >> >> > Will this prevent the taskbar from showing? There are
> >> >> > other potential apps the users might be using and we want
> >> >> > them to be able to see the taskbar.
> >> >> >
> >> >> > "Vera Noest [MVP]" wrote:
> >> >> >
> >> >> >> Define the application as the starting application in a
> >> >> >> Group Policy, configure loopback processing of the GPO,
> >> >> >> and then make sure that Administrators are not affected
> >> >> >> by the application, by using security filtering.
> >> >> >>
> >> >> >> User Computer Configuration - Administrative templates -
> >> >> >> Windows Components - Terminal Services
> >> >> >> "Start a program on connection"
> >> >> >>
> >> >> >> Computer Configuration - Administrative Templates -
> >> >> >> System - Group Policy
> >> >> >> "User Group Policy loopback processing mode" - "Replace"
> >> >> >>
> >> >> >> 231287 - Loopback Processing of Group Policy
> >> >> >> http://support.microsoft.com/?kbid=231287
> >> >> >>
> >> >> >> 816100 - How To Prevent Domain Group Policies from
> >> >> >> Applying to Administrator Accounts and Selected Users in
> >> >> >> Windows Server 2003
> >> >> >> http://support.microsoft.com/?kbid=816100
> >> >> >> _________________________________________________________
> >> >> >> Vera Noest
> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> >> >> TS troubleshooting: http://ts.veranoest.net
> >> >> >> ___ please respond in newsgroup, NOT by private email ___
> >> >> >>
> >> >> >> =?Utf-8?B?Um9i?= <Rob@discussions.microsoft.com> wrote on
> >> >> >> 28 apr 2008 in
> >> >> >> microsoft.public.windows.terminal_services:
> >> >> >>
> >> >> >> > I have a couple of questions:
> >> >> >> >
> >> >> >> > 1. I would like to set up an auto login link for
> >> >> >> > terminal services. I have an app that I want to run but
> >> >> >> > have the server locked down so that only the app can be
> >> >> >> > run. I know I can set it up in TS Configuration but it
> >> >> >> > prevents me from logging in under my own credentials
> >> >> >> > for admin purposes. Is there another way I can set it
> >> >> >> > up? I've also tried saving the credentials in the link
> >> >> >> > but it doesn't stick. I would love to use RemoteApp but
> >> >> >> > it just isn't feasible at this time.
> >> >> >> >
> >> >> >> > 2. When logging in with the restricted user, the
> >> >> >> > various 2008 splash screens come up. Is there a way to
> >> >> >> > eliminate them?
>