This is a question that comes up somewhat frequently. If you want to allow users to use RemoteApp in Windows Server 2008 or 2008 R2, they have to be members of the Remote Desktop Users group on the server. But, sometimes we don’t want our users to have the full desktop UI on a shared server resource. There is actually a very simple way to accomplish exactly what we’re looking at.
On each of the servers with the Remote Desktop Session Host role, open the connection properties by navigating as shown.
Open the properties of the connection that you are using. Click on the environment tab, bubble in the Start the following program, and fill it out as shown below. Basically, we’re configuring the server to automatically log out as soon as anyone tries to log in with the full UI. However, this doesn’t prevent users from connecting with RemoteApp. Pretty cool trick I thought!
3 thoughts on “How to Allow RemoteApps but Prevent Full Remote Desktop Logons”
Doesn’t that also prevent the Administrator from logging in remotely also?
I believe you are correct sir. I’d have to double check whether using the mstsc /admin switch makes a difference or not, but I doubt it. If not, looks like you’d need to log in at the console. Otherwise, the next logical workaround would be to instead of directly running the logoff, run a script that runs the logoff command unless a particular username is used during login.
User with admin rights are also logged off. Using mstsc with /admin switch doesn’t change anything. Any ideas?