How to Allow RemoteApps but Prevent Full Remote Desktop Logons

This is a question that comes up somewhat frequently. If you want to allow users to use RemoteApp in Windows Server 2008  or 2008 R2, they have to be members of the Remote Desktop Users group on the server. But, sometimes we don’t want our users to have the full desktop UI on a shared server resource. There is actually a very simple way to accomplish exactly what we’re looking at.

On each of the servers with the Remote Desktop Session Host role, open the connection properties by navigating as shown. - VMware Workstation_2012-09-28_14-44-22

Open the properties of the connection that you are using. Click on the environment tab, bubble in the Start the following program, and fill it out as shown below. Basically, we’re configuring the server to automatically log out as soon as anyone tries to log in with the full UI. However, this doesn’t prevent users from connecting with RemoteApp. Pretty cool trick I thought! - VMware Workstation_2012-09-28_14-44-34


3 thoughts on “How to Allow RemoteApps but Prevent Full Remote Desktop Logons

  1. I believe you are correct sir. I’d have to double check whether using the mstsc /admin switch makes a difference or not, but I doubt it. If not, looks like you’d need to log in at the console. Otherwise, the next logical workaround would be to instead of directly running the logoff, run a script that runs the logoff command unless a particular username is used during login.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.