Deny access to TS desktop

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I need to block users from accessing the actual TS desktop. I have created
an RDP shortcut to run the only application they need. However, they can
edit the shortcut and end up seeing the server desktop. I realize I can
'lock down' the desktop environment, but they can still see more than I want
them to.

How can I deny them access to the desktop period? Thanks.
 
You can configure the user account to only launch the specific applikation.
Check the environment tab in Active Directory Users and Computer.

Rickard
 
Doing this won't prevent someone from spawning explorer.exe in other ways,
i.e. Ctrl+Alt+End -> Task Manager -> File -> New Task(Run...), although it is
a decent security measure to take for a user that only needs one application.

Other things you can do to lock down the machine are to use Software
Restriction Policies and other rescrictive policy settings via GPO and lock
down the server with strict NTFS permission sets.

http://www.workthin.com/tshta.htm

Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com
 
New wrinkle in this. I just found out that the user needs access to 3
applications in the same subfolder on the TS. Is there a way to still use
the Environment tab and give them access to all 3 apps?
 
The environment tab is purely asthetic, so this should not be used at your
security plan to prevent users from intentionally/unintentionally harming
your TS.

You have two options:

1. Lock down the desktop with GPO, NTFS or 3rd party program to limit users
to what you want them to be able to execute.

2. Lock down the desktop with GPO, NTFS + application publishing program
like Citrix MetaFrame, WTSPortal, Remote Application Center 2.0 (free),
Tarantella SGD, Jetro...

A fairly extensive list of 3rd party add-ons here:
http://www.workthin.com/tsao.htm

Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com
 
Back
Top