The only way I can think of is to modify the users shell property in the registry. It is set to explorer normally but it is possible to make it whatever you want - but I have never tried to do it through terminal server or using group policy, let alone both. Also I have not seen this done except for Local Machine - not per user... I will see what I can dig up...
Michael Parent MCSE MCT
Analyst I - Web Services
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456
| Charlie Kaiser <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 11/04/2003 09:14 PM
|
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> cc: Subject: RE: [ActiveDir] GP and TS lockdown |
Hi Deji. I'm not sure I'm following you here.
TS is installed in application mode. When a non-admin user logs on, they get a desktop with only the app shortcut on it. Never having worked with TS before, I haven't figured out how to have just the application run instead of the desktop. Tried using CCM to create a connection and run the app, but it still gave me a desktop.
I tried denying logon locally rights to the test user and that account couldn't connect at all. Nothing I've read shows me that I can run just an app instead of a windowed desktop (as in citrix).
The app ties to a SQL instance and requires SQL client connectivity, and we don't want to make those connections across WAN links from the client PCs. So the app runs on the TS box local to the SQL box. If you've got a way that will allow me to run (on the TS) just the app at the client without a desktop session, I'd love to use it. Enlighten me... :-)
**********************
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 985 0975 x5083
**********************
-----Original Message-----
From: deji Agba [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 04, 2003 2:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GP and TS lockdown
Is there a good reason you don't just install TS in application mode on this server? If I were doing this (and there is no political/technical/budget reason against it), I'd do it that way and then deny logon locally rights to everyone but Admins. You can then configure TS to auto-launch the specific application that users need to use on the server.
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of Charlie Kaiser
Sent: Tue 11/4/2003 1:57 PM
To: ([EMAIL PROTECTED])
Subject: [ActiveDir] GP and TS lockdown
I just spent the morning looking around at resources and doing some things
to lock down a new W2K TS. This box is a member server in a W3K domain, and
is hosting an app that end users hit. We needed to make it so that was the
only thing they could do on the box, but we still needed admin access. So
here's what I did. I'm looking for any gotchas on this before it swings into
production...
New OU, termservers.
2 GPs for that OU. 1 is a lockdown, strips everything except that app. 2 is
an Admin access, which disables everything in the lockdown for those times
that we need to do something to the box.
Set Admin GP at top w/no override, lockdown second. Appropriate rights
assignments.
Seems to work pretty well. Any glaring issues?
Found a couple of interesting nasties while trying to lockdown the box,
though. Why the heck is it SO difficult to prevent IE from running? We don't
want a browser to open on this box for users at all. Couldn't find any way
to lock it down within the policy, and didn't want to get involved with IEAK
at this point. So, I put it on the list of apps that you can't run. Also
added the one app we want to the list of apps you can run. (along with all
the other lockdown tweaks in the policy) That should do it, right? Wrong.
Picture this. Locked down desktop, with a log off command and one icon for
the app we want to run. Can't do much, except hit F1. Hit F1, up comes a
help box. On the top bar is "Web Help". Click on that, a browser opens.
Nice. Let's you do anything at that point. Even though it's on the
prohibited list, it still runs. OK, lock down NTFS on iexplore.exe. Removed
users, etc., left admins, system. Still the same problem. Cute. IE runs in
the system context when launched from help. Removed perms for system account
and that finally did it. Nasty. Not exactly the context I want a web browser
running from...
**********************
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 985 0975 x5083
**********************
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
