amazon-web-servicesremote-desktoprdpamazon-lightsail

How do I restrict a remote desktop user to a single application on Windows Server 2016?


I have an AWS Lightsail server based on the Windows Server 2016 blueprint. I would like to have users log in via remote desktop, and be limited to using just one designated application, and have no access to the desktop or other features (including the File Explorer).

I tried setting up a group policy, both for the server (Computer Configuration) and users (User Configuration) under Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Remote Session Environment, and I enabled and configured Start a program on connection. That did not work.

I also tried the suggestions found at the following link: Can RDP clients launch remote applications and not desktops

including setting the following dword value in the server's registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fAllowUnlistedRemotePrograms"=dword:00000001

I also included the alternate shell and remoteapplication entries in an .RDP file, and pointed to that file in the user's Remote Desktop Services Profile tab of the user's Properties dialog.

None of that worked. Each time I logged in as the user, the configured application did not run and I had access to the desktop.

Nothing that I found in my Google searches worked either.

Can someone please point me in the right direction. I am pretty sure that what I am trying to do is possible, but I am stuck.

I am connecting to the server using the remote desktop client in Windows 10 Pro, though I am not sure that that has anything to do with the failure. I'll also note that once I log into the server using remote desktop I can successfully run the application from the File Explorer or cmd prompt.


Solution

  • I had to ask an IT administrator, so I need to admit that I needed help in solving my problem. Nonetheless, I want to answer this question for the benefit of other developers out there who want to do something similar. I performed these steps on an Amazon Lightsail server, but I imagine that this will work on any Windows Server 2016 instance.

    1. Log onto the server as Administrator and run Server Manager.

    2. From the Dashboard, select Add roles and features.

    3. Add Active Directory Domain Services. Following the prompts.

    4. Once Active Directory Domain Servers has been install, you will get a notification that it needs to be configured. Configure it.

    5. From the Dashboard, again select Add role and features. This time select Remote Desktop Service installation. Following the prompts.

    6. From the Server Manager, select Tools -> Active Directory Domain Users and Computer from the main menu.

    7. Add a new Organizational Unit (OU) to the domain server. Next, add your users who will be limited to the one application to the new OU.

    8. From the Server Manager, select Tools -> Group Policy Manager from the main menu. Expand the your server's domain and select the new OU. Right-click the OU and select Create a GPO in this domain, and link it here... Next, expand the OU and select the new group policy and select Edit. Go to User Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Remote Desktop Session Environment. Enable and configure Start program on connection. Disable Always show desktop on connection.

    9. From the Control Panel, open the System applet. Select Remote Settings. Click Users. click Add. Click Advanced. Select the users added to the new OU and permit them to use Remote Desktop.