Jan 07, 2011 Remote desktop services permissions. (as I'm guessing that this is a group policy. Connections Allow Remote Start Of Unlisted Programs. Configure Remote Desktop through Group Policy. Connections section of Group Policy; here, you can set the 'Allow users to connect remotely using Remote Desktop. Set Group Policy refresh interval for. Allow remote start of unlisted programs Windows Components Remote Desktop Services Remote Desktop. Start a program on. Allow users to connect remotely by using Remote Desktop Services. ‹ Allow remote start of unlisted programs up Automatic reconnection. Windows group policy. Some of the options in the previous release consoles are moved to either PowerShell or Group Policy. Connections->Allow remote start of unlisted programs.

Hi All, I have a question about administration when using Remote Desktop Services on Windows Server 2008R2. Firstly a little background. I have about 15 users, who need to use RDS to access our CRM solution on the network, as the VPN solution has proven unsuitable.

The users will need to be able to access Microsoft Office, and the CRM application, and Internet explorer, however, that should be it. I've installed Remote Desktop services and have created a user with basic user permissions on the domain to test with. What I want to be able to do, is set it up so that when a user logs into their account on the remote desktop server, they only have access to these applications and some network shares that I have set up. I don't want them seeing anything else that they shouldn't be looking at or clicking on, such as computer management, the C drive or the RDS server, or any other applications that are installed on it. ( I basically don't want them mistakenly going somewhere that settings are set up) The users also have their own laptops, that I don't want to be affected by any change (as I'm guessing that this is a group policy thing, and may end up as a global setting) they have free run of their own laptops, and are not restricted at all on what they install or do on them! Could anyone offer any advice on how I could go about doing this, any guides or documentation that you know of would be greatly appreciated as well! Many thanks, Sev.

Hi, Yes there is a way. The reason that your settings are not applied when you attached the GPO to the OU that holds the Terminal Servers is because most of the lockdown settings are user-policies (not computer).

But you can accomplish what you need by using GPO Loopback processing. See info here: Basicly what you do is set user policies in a GPO that you put on the OU that contains the Terminal Servers.

Motorola Talkabout T5022 Manual. Then you enable LoopBack processing and the usersettings that you defined in the GPO on the Computer OU will be applied to all users that logon to Terminal Servers inside that OU. On top of that you can use security filtering on the GPO to only apply the user settings defined in the GPO on the OU that contains the Terminalservers to specifc users.

Taken from the KB: '.Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to. This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. This policy is intended for special-use computers where you must modify the user policy based on the computer that is being used. For example, computers in public areas, in laboratories, and in classrooms.' Kind regards, Freek Berson.

Hi, This KB was origionally for 2003, but applies for a great deal on 2008 (R2) as well: and this guide as well: On top of that you could look at AppLocker to control what applications may be executed. And see below some info taken from the RDS 2008 R2 Resource Kit (Availlable on amazon.com) -------- User Configuration Policies Administrative Templates System ● Don’t Run Specified Windows Applications This is the block list approach—starting with everything and then defining applications that are not allowed to run. Blacklists aren’t the most effective way to manage applications because executable names change (or new executables are created) and block lists don’t take changes into account.