No announcement yet.

How to run one program at logon, disable everything else ?

  • Filter
  • Time
  • Show
Clear All
new posts

  • How to run one program at logon, disable everything else ?

    I'm trying to setup our terminal server so that our workers can work remotely on the server instead of their workstations.

    But I'm a bit concerned what they do while they are logged on to the server, they have access to all program files by the "Default Domain Policy" GPO.

    I just want them to use our ERP software at logon, I don't want them to touch anything else.

    We have 2 different OUs setup, besides the default OUs in Windows.
    1 OU is for admins the other is for staff / employees.

    I want to give minimum rights to employee and all rights to admins.

    Do I need to create different GPO per OU if i want different tasks per OU?

    How does the linking GPO work? If I link a GPO to an OU, and change the settings on that OU level, will it affect other OUs linked to the same GPO?

    Our servers are Win 2003 Standard.

  • #2
    Re: How to run one program at logon, disable everything else ?

    The easiest thing that comes to my mind is software restriction policies. You could make it so that only certain paths or hashes are allowed to run for certain users.

    Alternatively, check out this thread to see if that would be of use to you. It's a bit more in depth than a simple software restriction policy, but maybe that's what you want.
    Wesley David
    LinkedIn | Careers 2.0
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow:


    • #3
      Re: How to run one program at logon, disable everything else ?

      great! thanks so much it's very helpful!


      • #4
        Re: How to run one program at logon, disable everything else ?

        Is this option too simplistic or am I missing something in the question? Obviously this way they will still have access to everything via Explorer.

        Click image for larger version

Name:	TS-Single App.jpg
Views:	1
Size:	53.1 KB
ID:	463926
        Joined: 23rd December 2003
        Departed: 23rd December 2015


        • #5
          Re: How to run one program at logon, disable everything else ?

          If you run Windows Server 2008 Terminal Services then you could use RemoteApps for this.
          If not, then perhaps you can try the solution below.

          For the user you can replace the Windows Explorer shell with a "custom shell". Exporer.exe provides access to the most common desktop functions, so with a custom shell the user just see the application.

          You can use Group Policy to configure this,

          Since the policy that we are creating is based on the user, not the computer itself, we will be modifying the User Configuration portion of the policy object. But because we don't want this policy to apply to the user when s/he logs on to a desktop computer, we have to make it a loopback policy and link the GPO to the Terminal Servers OU (or alternatively, use a WMI-filter to filter on the server name, and link the GPO to the Users's OU)

          Edit the policy,

          User Configuration / Administrative Templates
          "Remove and prevent access to the Shut Down command" -> Enabled

          User Configuration / Administrative Templates / System
          "Custom user interface" -> Enabled
          "Interface file name (for example, Explorer.exe)" -> wscript.exe //Nologo //B "c:\scripts\RemoteApps.vbs"
          (I would prefere, but is not realy nessesary, to copy the script to the server localy and configure a local path in the policy like in the example)

          User Configuration / Administrative Templates / System / CTRL+ALT+DELETE Options
          "Remove Change Password" -> Enabled
          "Remove Lock Computer" -> Enabled
          "Remove Logoff" -> Enabled
          "Remove Task Manager" -> Enabled

          The VBScript will start the application, and keep monitoring the process (by using the unique PID of the process). When the user ends the application, the script will log off the user and the script ends. (optionals: It is possible to set a maximum time to life for the user session then the script can terminate the application and force a logoff of the user. It is also possible that the script after it is launched first checks the groupmembership or OU of the user and based on conditions start eigther the application or the default shell.)

          Have a look at the following 2 articles:
          - Managing a Custom Shell Using Active Directory
          - Loopback processing of Group Policy

          Related threads,


          This posting is provided "AS IS" with no warranties, and confers no rights.


          ** Remember to give credit where credit's due **
          and leave Reputation Points for meaningful posts