[2003] Locking down desktop?

[nospam@nospam.com]

Hello

I'm no Windows Server expect, and need to lock down the TS
desktop users see when connecting. This is actually a server that
prospects use to evaluate our application, and all users will use the
same login/password.

Basically, I'd like to only have a single icon on the desktop to
launch our app, and a single item in the Start menu that says
"Disconnect", to make sure users really close the session so that the
next user doesn't see a running session.

In addition, I'd like to run a batch file after a user has logged out,
so as to put pristine data back, in case the previous user has left
some identifying information.

According to Google, it looks like all this is done through the Group
Policy Editor (English translation mine), but there are so many
options in the Computer and User sections, that I don't know what to
do.

Could someone tell me how to get a bare TS desktop?

Thank you.

 

[Gilles Ganault]

Re: [2003] Locking down desktop?

On Sat, 28 Jun 2008 14:23:09 +0200, "nospam@nospam.com" <Gilles>
wrote:
>According to Google, it looks like all this is done through the Group
>Policy Editor (English translation mine), but there are so many
>options in the Computer and User sections, that I don't know what to
>do.

I could make changes using gpedit.msc, but how can set those for a
given user, and not affect other user?

Thank you.

 

[moncho]

Re: [2003] Locking down desktop?

Gilles Ganault wrote:
> On Sat, 28 Jun 2008 14:23:09 +0200, "nospam@nospam.com" <Gilles>
> wrote:
>> According to Google, it looks like all this is done through the Group
>> Policy Editor (English translation mine), but there are so many
>> options in the Computer and User sections, that I don't know what to
>> do.
>
> I could make changes using gpedit.msc, but how can set those for a
> given user, and not affect other user?
>
> Thank you.

You can try looking at http://www.sessioncomputing.com/security.htm
and see what will apply to your situation. In this document
there is a third party app to help you lock down TS.

I understand that your systems in a workgroup but you have MUCH
more flexibility if it was in an A/D.

moncho

 

[Gilles Ganault]

Re: [2003] Locking down desktop?

On Mon, 30 Jun 2008 08:07:12 -0400, moncho <moncho@NOspmanywhere.com>
wrote:
>I understand that your systems in a workgroup but you have MUCH
>more flexibility if it was in an A/D.

I know, but the Powers that be don't want this server to run AD. Don't
ask

What I really want, is that this user will just have a bare,
unmodifiable desktop where he can only click on a shortcut on the
desktop, and click on LogOff in the Start menu.

I could do this through the Group Policy Editor (gpedit.msc, through
its Computer/User sections), but those apply to all users, not just
this single TS user.

Thank you.

 

[Vera Noest [MVP]]

Re: [2003] Locking down desktop?

Gilles Ganault <nospam@nospam.com> wrote on 01 jul 2008 in
microsoft.public.windows.terminal_services:

> On Mon, 30 Jun 2008 08:07:12 -0400, moncho
> <moncho@NOspmanywhere.com> wrote:
>>I understand that your systems in a workgroup but you have MUCH
>>more flexibility if it was in an A/D.
>
> I know, but the Powers that be don't want this server to run AD.
> Don't ask
>
> What I really want, is that this user will just have a bare,
> unmodifiable desktop where he can only click on a shortcut on
> the desktop, and click on LogOff in the Start menu.
>
> I could do this through the Group Policy Editor (gpedit.msc,
> through its Computer/User sections), but those apply to all
> users, not just this single TS user.

That's one of the major draw-backs of a local policy, there is no
easy way to use security filtering.
There's a workaround, but be careful when implementing it, you can
easily lock yourself out of the system. Make sure you have a full
backup before using this method:

How can I lock down my standalone TS with a local policy without
locking down the Administrator account?
http://ts.veranoest.net/ts_faq_configuration.htm#local_policy

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___