Terminal Services Kiosk

  • Thread starter Thread starter F. David del Campo Hill
  • Start date Start date
F

F. David del Campo Hill

Hi all,

I have a Windows Server 2003 R2 configured as a standalone Terminal Services
server, and a few Windows XP Professional desktops part of an Active
Directory domain.

I want to create an Active Directory account that users can log in to in the
desktops, but that will automatically open a Remote Desktop session to the
Terminal Services server (they will then log in to the server using a
non-Active Directory account). The account must NOT allow users to do
anything on the desktops save automatically opening the RD session, and when
the users disconnect or log out of the RD session, the desktops must log out
automatically from the Active Directory account as well.

1. I have found that you can change the Windows shell by editing the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell registry value, but how do you change the
shell for one user only?

2. Also, how do you make sure the user can only run mstsc.exe and cannot use
Ctrl+Alt+Del (or other special key combinations) to bypass the shell?

3. And lastly, how to make the local desktop log out automatically when the
shell is terminated?

Thank you for your help.
 
Pretty much everything you want to do can be configured through Group
Policy. What are you planning on replacing the shell with? Why are you
trying to replace the shell? You will want to start investigating GPO's.

also how are you expecting users to terminate the shell? Why not simply
lock down the workstations as is?

Jeff Pitsch
Microsoft MVP - Terminal Server
Citrix Technology Professional
Provision Networks VIP

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com

F. David del Campo Hill wrote:
> Hi all,
>
> I have a Windows Server 2003 R2 configured as a standalone Terminal Services
> server, and a few Windows XP Professional desktops part of an Active
> Directory domain.
>
> I want to create an Active Directory account that users can log in to in the
> desktops, but that will automatically open a Remote Desktop session to the
> Terminal Services server (they will then log in to the server using a
> non-Active Directory account). The account must NOT allow users to do
> anything on the desktops save automatically opening the RD session, and when
> the users disconnect or log out of the RD session, the desktops must log out
> automatically from the Active Directory account as well.
>
> 1. I have found that you can change the Windows shell by editing the
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\Shell registry value, but how do you change the
> shell for one user only?
>
> 2. Also, how do you make sure the user can only run mstsc.exe and cannot use
> Ctrl+Alt+Del (or other special key combinations) to bypass the shell?
>
> 3. And lastly, how to make the local desktop log out automatically when the
> shell is terminated?
>
> Thank you for your help.
 
Jeff,

> Pretty much everything you want to do can be configured through Group
> Policy.

Remember that the Terminal Services server is not part of an Active
Directory domain, only the desktops. Which group policies are you refering to?

> What are you planning on replacing the shell with?

A Remote Desktop session to the Terminal Services server: mstsc /v:IPAddress
/f

> Why are you trying to replace the shell?

As I explained, I need an account that will open RD the moment it logs in
and will only show RD on the full screen since this is similar to what
people do for Internet Explorer kiosks, I thought to do it similarly. Is
there a better way?

> You will want to start investigating GPO's.

Only for the desktops the TS server cannot have GPOs applied.

> also how are you expecting users to terminate the shell?

That is one of my questions: how to make the account log out when the RD
session is logged out or terminated.

> Why not simply lock down the workstations as is?

The desktops are going to be used by other accounts which do not connect to
the TS server, so leaving the desktops in such a state is not possible.

In short, I am trying to allow users to use their Windows desktop as a thin
client for a TS server by logging in to a certain account.
 
F. David del Campo Hill wrote:
> Jeff,
>
>> Pretty much everything you want to do can be configured through Group
>> Policy.
>
> Remember that the Terminal Services server is not part of an Active
> Directory domain, only the desktops. Which group policies are you refering to?

Your going to have a difficult time at best to lockdown the TS box so
they can't do anything. It's quite possible but difficult. There are
way to many settings to list them off one by one on how to lock down a
server. You can start by using this (remember you can many of these
through local policy as well):


>
>> What are you planning on replacing the shell with?
>
> A Remote Desktop session to the Terminal Services server: mstsc /v:IPAddress
> /f

You best bet, again, is to use Group Policy on the workstations to
configure a very locked down environment for the particular users. You
have AD for the workstations, it's a very powerful tool, don't ignore
it. Use it.

>
>> Why are you trying to replace the shell?
>
> As I explained, I need an account that will open RD the moment it logs in
> and will only show RD on the full screen since this is similar to what
> people do for Internet Explorer kiosks, I thought to do it similarly. Is
> there a better way?

yes again, a locked down environment using GPO.

>
>> You will want to start investigating GPO's.
>
> Only for the desktops the TS server cannot have GPOs applied.
>
>> also how are you expecting users to terminate the shell?
>
> That is one of my questions: how to make the account log out when the RD
> session is logged out or terminated.

No problem at all, you give them the log out button on the locked down
desktop.

>
>> Why not simply lock down the workstations as is?
>
> The desktops are going to be used by other accounts which do not connect to
> the TS server, so leaving the desktops in such a state is not possible.
>
> In short, I am trying to allow users to use their Windows desktop as a thin
> client for a TS server by logging in to a certain account.

I'm not sure you understand how GPO's work. they can be applied based
on users. So one user logs in to the workstation they get one set of
settings, another user logs in they get another set.

Jeff Pitsch
Microsoft MVP - Terminal Server
Citrix Technology Professional
Provision Networks VIP

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com
 
Jeff,

> Your going to have a difficult time at best to lockdown the TS box so
> they can't do anything. It's quite possible but difficult. There are
> way to many settings to list them off one by one on how to lock down a
> server. You can start by using this (remember you can many of these
> through local policy as well):

No, the locked-down account is the Active Directory account in the desktops,
not the local accounts in the TS server. I want them not to be able to do
anything in the desktops apart from running the RD session in the TS server
they can do what they want: its theirs.

> >> Why are you trying to replace the shell?
> > As I explained, I need an account that will open RD the moment it logs in
> > and will only show RD on the full screen since this is similar to what
> > people do for Internet Explorer kiosks, I thought to do it similarly. Is
> > there a better way?
> yes again, a locked down environment using GPO.

But how? Which GPOs stop users from being able to start other programs or
kill the RD session? Specifics please.


> No problem at all, you give them the log out button on the locked down
> desktop.

No, there is no explorer running: so there will be no local Log Out button
for them to press, no Start menu... no nothing save the RD session.

> > In short, I am trying to allow users to use their Windows desktop as a thin
> > client for a TS server by logging in to a certain account.
> I'm not sure you understand how GPO's work. they can be applied based
> on users. So one user logs in to the workstation they get one set of
> settings, another user logs in they get another set.

I know, but what I am looking for is for someone to tell me which GPOs can
be used to stop a user from running anything but an executable of my
choosing, and how to make the termination of that executable force a log out
on the user's session.
 
comments inline

=?Utf-8?B?Ri4gRGF2aWQgZGVsIENhbXBvIEhpbGw=?=
<FDaviddelCampoHill@discussions.microsoft.com> wrote on 21 aug
2007 in microsoft.public.windows.terminal_services:

> Jeff,
>
>> Your going to have a difficult time at best to lockdown the TS
>> box so they can't do anything. It's quite possible but
>> difficult. There are way to many settings to list them off one
>> by one on how to lock down a server. You can start by using
>> this (remember you can many of these through local policy as
>> well):
>
> No, the locked-down account is the Active Directory account in
> the desktops, not the local accounts in the TS server. I want
> them not to be able to do anything in the desktops apart from
> running the RD session

So you want to turn your clients into software thin clients, is
that correct? Patrick Rouse lists a number of solutions for that,
like SimplyRDP and others:
http://www.sessioncomputing.com/thin-clients.htm

> in the TS server they can do what they want: its theirs.

If taken literally, I think that you will notice that this will
render the TS unusable in a short period of time. Even if you don't
lock it down to the full extend, you will still need to limit
users' ability to install software, printer drivers and so on.

>> >> Why are you trying to replace the shell?
>> > As I explained, I need an account that will open RD the
>> > moment it logs in and will only show RD on the full screen
>> > since this is similar to what people do for Internet Explorer
>> > kiosks, I thought to do it similarly. Is there a better way?
>> yes again, a locked down environment using GPO.
>
> But how? Which GPOs stop users from being able to start other
> programs or kill the RD session? Specifics please.

Software Restriction Policies would do this. Only allow mstsc.exe,
restrict all other executables.

>> No problem at all, you give them the log out button on the
>> locked down desktop.
>
> No, there is no explorer running: so there will be no local Log
> Out button for them to press, no Start menu... no nothing save
> the RD session.
>
>> > In short, I am trying to allow users to use their Windows
>> > desktop as a thin client for a TS server by logging in to a
>> > certain account.
>> I'm not sure you understand how GPO's work. they can be
>> applied based on users. So one user logs in to the workstation
>> they get one set of settings, another user logs in they get
>> another set.
>
> I know, but what I am looking for is for someone to tell me
> which GPOs can be used to stop a user from running anything but
> an executable of my choosing, and how to make the termination of
> that executable force a log out on the user's session.

Can't help you with the logout problem, I'm afraid. And how are you
going to handle Ctrl-Alt-Del?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 
Back
Top