'How do I restrict a remote desktop user to a single application on Windows Server 2016?

I have an AWS Lightsail server based on the Windows Server 2016 blueprint. I would like to have users log in via remote desktop, and be limited to using just one designated application, and have no access to the desktop or other features (including the File Explorer).

I tried setting up a group policy, both for the server (Computer Configuration) and users (User Configuration) under Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Remote Session Environment, and I enabled and configured Start a program on connection. That did not work.

I also tried the suggestions found at the following link: Can RDP clients launch remote applications and not desktops

including setting the following dword value in the server's registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fAllowUnlistedRemotePrograms"=dword:00000001

I also included the alternate shell and remoteapplication entries in an .RDP file, and pointed to that file in the user's Remote Desktop Services Profile tab of the user's Properties dialog.

None of that worked. Each time I logged in as the user, the configured application did not run and I had access to the desktop.

Nothing that I found in my Google searches worked either.

Can someone please point me in the right direction. I am pretty sure that what I am trying to do is possible, but I am stuck.

I am connecting to the server using the remote desktop client in Windows 10 Pro, though I am not sure that that has anything to do with the failure. I'll also note that once I log into the server using remote desktop I can successfully run the application from the File Explorer or cmd prompt.

remote-desktoprdpamazon-lightsail


Solution 1:[1]

Thank you for this Guide Cary.

I just ran into an Issue where I had to Start an Application that requires the existence of the Taskbar while Loading.

After a few trial and error-run's I got to the following solution, if the Taskbar is not required anymore after Start as it seems it is not in my Case. I don't even know why this Application needs it. There isn't any Icon placed in it or what so ever...

Here is my little CMD

@echo off
start explorer.exe
start AvERP.exe
timeout /T 2
taskkill /f /im explorer.exe

And to Krunoslav Djakovic

I created an Sub-Folder for the OrganizationalUnit where i did put the Policy and only moved the User one level deeper in to that Folder. Maybe this helps in resolving your Problem.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 crpb

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function