4

I have an AWS Lightsail server based on the Windows Server 2016 blueprint. I would like to have users log in via remote desktop, and be limited to using just one designated application, and have no access to the desktop or other features (including the File Explorer).

I tried setting up a group policy, both for the server (Computer Configuration) and users (User Configuration) under Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Remote Session Environment, and I enabled and configured Start a program on connection. That did not work.

I also tried the suggestions found at the following link: Can RDP clients launch remote applications and not desktops

including setting the following dword value in the server's registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fAllowUnlistedRemotePrograms"=dword:00000001

I also included the alternate shell and remoteapplication entries in an .RDP file, and pointed to that file in the user's Remote Desktop Services Profile tab of the user's Properties dialog.

None of that worked. Each time I logged in as the user, the configured application did not run and I had access to the desktop.

Nothing that I found in my Google searches worked either.

Can someone please point me in the right direction. I am pretty sure that what I am trying to do is possible, but I am stuck.

I am connecting to the server using the remote desktop client in Windows 10 Pro, though I am not sure that that has anything to do with the failure. I'll also note that once I log into the server using remote desktop I can successfully run the application from the File Explorer or cmd prompt.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Cary Jensen
  • 3,751
  • 3
  • 32
  • 55

2 Answers2

3

I had to ask an IT administrator, so I need to admit that I needed help in solving my problem. Nonetheless, I want to answer this question for the benefit of other developers out there who want to do something similar. I performed these steps on an Amazon Lightsail server, but I imagine that this will work on any Windows Server 2016 instance.

  1. Log onto the server as Administrator and run Server Manager.

  2. From the Dashboard, select Add roles and features.

  3. Add Active Directory Domain Services. Following the prompts.

  4. Once Active Directory Domain Servers has been install, you will get a notification that it needs to be configured. Configure it.

  5. From the Dashboard, again select Add role and features. This time select Remote Desktop Service installation. Following the prompts.

  6. From the Server Manager, select Tools -> Active Directory Domain Users and Computer from the main menu.

  7. Add a new Organizational Unit (OU) to the domain server. Next, add your users who will be limited to the one application to the new OU.

  8. From the Server Manager, select Tools -> Group Policy Manager from the main menu. Expand the your server's domain and select the new OU. Right-click the OU and select Create a GPO in this domain, and link it here... Next, expand the OU and select the new group policy and select Edit. Go to User Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Remote Desktop Session Environment. Enable and configure Start program on connection. Disable Always show desktop on connection.

  9. From the Control Panel, open the System applet. Select Remote Settings. Click Users. click Add. Click Advanced. Select the users added to the new OU and permit them to use Remote Desktop.

Cary Jensen
  • 3,751
  • 3
  • 32
  • 55
  • 1
    Cary, you are my hero! I have been looking for this solution for days. There are many purported answers, however, yours was straightforward and worked immediately. Too bad the Terminal Server Snap in doesn't just have this as a tab like the older OS's, however, the idea of Organizational Units certainly allows more specific configuration based on user groups. – Greg W Oct 08 '20 at 03:46
  • After installing AD I had to do this: http://woshub.com/allow-non-administrators-rdp-access-to-domain-controller/#:~:text=To%20allow%20a%20domain%20user,through%20Remote%20Desktop%20Services%20policy to be able to login through RDP at all – Krunoslav Djakovic Feb 14 '22 at 13:38
0

Thank you for this Guide Cary.

I just ran into an Issue where I had to Start an Application that requires the existence of the Taskbar while Loading.

After a few trial and error-run's I got to the following solution, if the Taskbar is not required anymore after Start as it seems it is not in my Case. I don't even know why this Application needs it. There isn't any Icon placed in it or what so ever...

Here is my little CMD

@echo off
start explorer.exe
start AvERP.exe
timeout /T 2
taskkill /f /im explorer.exe

And to Krunoslav Djakovic

I created an Sub-Folder for the OrganizationalUnit where i did put the Policy and only moved the User one level deeper in to that Folder. Maybe this helps in resolving your Problem.

crpb
  • 1
  • 2