RemoteApp without RDSH logon

Hi,
I'm running Windows Server 2012 as a RDSH server.
The employees should not be able to logon to the RDSH and only use RemoteApp's.
Is it possible to only allow RemoteApp's without the logon permission to the RDSH?
regards,
TAntony

Hi,
One technique for this is to set the Custom User Interface group policy setting to logoff.exe.  You would have the GPO apply to normal users, but not applied to Domain Admins (or other users that you need full desktop).
User Configuration\Administrative Templates\System
Custom User Interface     Enabled
Interface file name: %systemroot%\system32\logoff.exe
You may already be aware of this but I will mention that denying the ability for a regular user to get a full desktop is a nice feature, but it is not much of a security measure by itself.  If part of the reason you would like this ability is to
limit what users have access to then I recommend you look at NTFS permissions, AppLocker, Software Restriction Polices, group policies, etc.
Thanks.
-TP

Similar Messages

  • App-V Refreshing Apps without Logoff/Logon or Client UI

    Hi
    I have a customer who wants the following functionality:
    - User gets added to AD group
    - Client refresh happens without having to logoff/on or initiate manual "Update" on the Client UI. 
    I understand the task that initiates the refresh is contained in a scheduled task that runs at Logon, but would it be feasible in a VDI scenario with 200 servers to run this refresh so frequently that the user would receive apps almost immediately after
    being added to the AD group. 
    I'm not sure anyone has even considered AD replication but all the DCs would be within datacentre obviously so that replication would be quick. 
    Thanks for entertaining.. 
    David Murphy

    Hi, by GPO you can configure the 4 scheduled tasks to perform a refresh:
    @logon global/user
    @interval global/user (interval can be set to run for instance every hour if you want to)
    De default refresh internval on the appv5 backend is set to 10min, but can be adjusted bij a registry key. In a production env. I would keep it 10min.

  • How to logon to EP without the logon page

    Dear Sir,
    We use EP6 SP14, I woul like to make  EP , some user will logon , but there are also without logon page also. Is it possible to do in Portal.
    Please advise.
    Thank you and best regards,
    VImol

    Hi,
    u cn refer to these links for external facing portal.....
    https://www.sdn.sap.com/irj/sdn/wiki?path=/display/ep/external-facing%2bportal
    Coming Soon: the External Facing Portal (EP6 SPS14)
    Nuts and Bolts of the External Facing Portal (EFP)
    Follow  up to today's webinar on the External Facing Portal Functionality
    The specified item was not found.
    i hope these links are very helpful in ur implementation
    Regards
    Bhargava
    points are welcome

  • SapScript - Polish fonts without Polish logon language installed

    Hi,
    (the problem regards any languages with non-standard fonts e.g. cyrilic)
    How to insert Polish fonts in SAPscript being logged in English - there is no Polish logon language installed on the system.
    When editing Polish version of the form and entering Polish fonts (directly or by copy/paste) only "bushes" are displayed.
    Is it possible to edit SAPscript form in different language version than logon language - I mean to obtain fonts specific for the form language?

    Hi
    Yes it is!
    The language used by sapscript doesn't depend on logon language, but it is that you transfer to fm OPEN_FORM, but your sapscript have to be translated in that language. If there isn't a versione in the language the system run the version in original language.
    Max

  • ECC system access  without Logon pad

    Friends,
    Is there any other way to access ECC  sytem  without using Logon pad  and ITS URL ? 
    Regards,
    Arun

    You can acess from NWBC, but GUI must be installed in this case, also more reports you can create or implement from Portal, like ESS MSS. For BW you can connect from Excel.
    Regards.

  • Hello all.   Hope someone can help me. I recently downloaded some  updates for my imac.  Since doing this the computer starts up but I get no logon box.  The home screen opens but I can't open any programs or files. I've tried rebooting, no joy. Help!!

    Hello all..   I hope someone here can help.  I recently downloaded some updates to my imac.  Since then the computer starts but I get the home screen opening without the logon box.    I can't open any programs or files and if I click on the Safari tab it disappears from the dock.  I've tried rebooting with no joy.
    I contacted technical help at Apple and was told to hold down the ctrl and alt keys with two other keys, I think the S or P keys when powering up. This worked
    and the computer seemed fine but now the problem has reappeared.  Is there a way to removed downloaded updates from the computer or revert it to an earlier state?   Sorry for the long question. Hopefully one of you clever people can help.   Simon

    Clntxwhtby wrote:
    Hay thank you for your time . I do that every time I know I am online. It says that I am up to date . I have found that I have 10.4.11 version, and that my boot version is 10.6.2, and that my kernel version is 8.11.1.
    I have a hard drive icon on my desktop that says 10.6.2....
    I use to have iphoto, it doesnt open anymore, it says there is 1.2gigs on that disk.There are many things on here that are the same way. Where do I start?
    It's always good to go with one thing at a time and stay focused on that. Let's start with the OS you're running. Click on the Apple menu > About This Mac. What does it say under Mac OS X version ?

  • Best practices for storing logon/password info

    I'm curious what are the best practices and/or what other organizations are using to store the logon/password information that needs to be shared by several users. This could be, for example, RFC logon that is used in several interfaces; FTP logon, etc. Such information may need to be accessible to all the developers yet should be stored safely.
    In my previous assignments this was usually managed by a Basis admin, but we don't have a designated admin here so it needs to be handled by developers. A suggestion has been made to store it in a Z table in SAP, but we're trying to explore other options.
    Thank you.

    The SecureStore is a protected area only accessible via the SAP kernel functions. It is SAP standard (used by transactions such as SM59, etc) and is accessed by the system at runtime.
    But if you only want these connections to be temporarily available (so, without stored logon data) then there is a guru solution you might want to consider for those access in ABAP systems.
    For general password management of generic users or large numbers of them you can alternately also consider a [password-vault|http://www.google.com/#hl=de&source=hp&biw=1276&bih=599&q=password+vault&rlz=1R2ADSA_deCH392&aq=f&aqi=g3&aql=&oq=&gs_rfai=&fp=ec103d87630c3cc0] . These can however typically not be accessed at runtime.
    Shall I move this to the security forum, ABAP general, NW Admin or is someone still going to get themselves Guestified here? 
    Cheers,
    Julius

  • NSP ABAP Automatic Startup without logging on

    I have the ABAP trial version loaded on a standalone PC.
    I access the NSP system remotely, and rarely log onto the NSP system directly.
    Is there a way I can configure the system so that the NSP Server is automatically started at system startup, rather than when I log on?
    Many thanks
    Jack

    Hi Markus,
    Thank you for the suggestion, but the startup folder is only executed when you log in, just as the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run is also only run at logon.
    I was looking for a way to start it automatically after the system boots without the logon requirement.
    Kind Regards
    Jack

  • RemoteApp Icons on RD Web

    Hi All,
    I'm currently using a Server 2008 R2 Gateway solution.
    I have one server acting as RD Web / RD Gateway (I'll refer to it as RDWG), and a second server acting as the RD Connection Broker (RDCB).
    Originally the RDCB role was on the same server as RDWG, did some testing and it worked fine, and decided to move the RDCB to a seperate server.
    Both servers are members of eachother's TS Web Access Group, and both servers are members of TS Web Access on each Session Host.
    The Session Broker Computers group on RDCB is populated with multiple session hosts.
    I can publish an application as a remoteapp without incident, but its not publishing the icon set for each application. Applications that were tested when all roles were on the same server, are still shown under C:\Windows\Web\RDWeb\Pages\rdp on the RDWG.
    But new applications aren't generating anything in this path. 
    Instead the RD Web is just using a default RemoteApp icon.

    Hi,
    According to your description, this issue could be caused by some cache files which are previously downloaded on the Terminal server.
    Please try deleting the cache files on the web server C:\Windows\Web\RDWeb\Pages\rdp (default location). Delete all files in there and then try
    accessing the website again. This will force the web server to refetch all settings from the app server or connection broker.
    Hope this helps.

  • How to disable / skip logon screen

    Hi All,
    Is it possible to run a BW Web report from outside of Portal without Portal logon screen popup (pre-setup logon userid/pw)?
    Thanks, Jin

    That's called "Single Sign-On". It's not based on passwords but (e.g.) on SAP Logon Tickets (or X.509 Client Certificates).
    I'd suggest to have a look on the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/1c/1368a5a588ff4a8bedc4039c03c40f/frameset.htm">Security Guide for SAP NetWeaver BI</a> -> <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/d1/b2f59ea671fc4b8ae74bda16648f88/frameset.htm">Authentication and Single Sign-On</a>.

  • Virtual Desktops theory questions

    Hello!
    Help me please clarify several questions on Windows Server 2012 R2 virtual remote desktop  infrastructure.
    Having read the following artcile http://windowsitpro.com/virtualization/virtual-desktop-infrastructure-part-2-finally-vdi
    "The Remote Desktop Connection Broker role service is really the brains of the VDI environment. It communicates with and controls the other components, working particularly closely with the Remote Desktop Session Host in redirection mode, which
    is why the Remote Desktop Connection Broker and Remote Desktop Session Host
    in redirection mode are frequently placed on the same OS instance. However, when you start having more than 250 simultaneous connections, you might need to consider breaking the roles onto separate servers.
    Remote Desktop Session Host in Redirection Mode
    The concept of using a Remote Desktop Session Host in redirection mode isn’t new.
    Remote Desktop Virtualization Host
    The Remote Desktop Virtualization Host role service is installed on any Hyper-V host that will be participating in a VDI pool. This role service lets the Remote Desktop Connection Broker
    role service communicate with the Hyper-V hosts, start and stop VMs, and gather internal information to enable client connections."
    ...I've concluded that RDSH and RDVH are the two separate roles that can be (and should be - according to the Figure1 !) installed onto the two separate OS instances (RDCB + RDSH in Redirection mode on one server and the RDVH on the other).
    But when it comes to deploying VDI in practice I don't see how it's possible to separate RDSH in Redirection mode and RDVH services. Moreover, if we look at the following  screenshots...
    http://blogs.technet.com/b/canitpro/archive/2013/04/25/step-by-step-deploying-virtual-desktops-with-windows-server-2012.aspx
    ...we'll see that on step 1 Add the Roles and features wizard "wants" to deploy the
    RDSH service while on step 3 the RDSH service transforms to the
    RDHV service.
    Q1) What does this service transformation means?
    Q2) Is it possible to have RDSH in Redirection mode and
    RDVH services on separate servers in Win2012?
    Q3) Is it possible when using pooled virtual desktop collection to set, for example, 2 cores per virtual desktops wich based on Template1 and 1 core per virtual desktops based on Template2?
    Thank you in advance,
    Michael

    "With RDSH, you will get RemoteApp, the "terminal sessions". Have you been around during Windows
    Server 2003 Tarminal Server? That´s it, but with additional RDWeb. RDSH is pretty much the same as Citrix XenApp overall." -
    yes, I understand.
    "You can setup VDI infra with only one server, you will need
    RDVH, RDWeb and RDConnector roles, that´s all. You don´t need RDSH role for running VDI.  -
    I'm agree... but if I have VDI up and running without RDSH why its item is present on Deployment Overview diagram???  Can't find corresponding documentation anywhere... :(
    Regards,
    Michael

  • Redirect Remote App to a Particular server

    Hi Guys,
    I have a terminal services farm with 2 RDS host servers 
    We are using published applications. Users logon and get their applications and then get redirected to either of the servers in the farm server 1 & server 2
    We seem to have an issue with one of the servers...I have published Wordpad to test this but I cannot seem to get logged onto server2 when I want to simulate the issue and begin troubleshooting
    I need to either be able to publish this app to just one server ? like Citrix ..but i dont think this can be achieved?
    Or have a user always logon to this server2 each time and not server 1 .
    I know I can disable logon for the server 1 but that would effect all apps.....
    Anyone have any ideas?

    Hi,
    Sorry to say but all servers which are member of same RD Farm name are expected to have access of all application installed. We cannot control which specific server in a RD Farm a user is directed to. Still we can configure RemoteApp under RDSH server and assign
    the user to connect to the specific RemoteApp by assigning RemoteApp User Assignment.
    By this way, suppose we install WordPad as RemoteApp on RDSH server 1 and Notepad as RemoteApp on RDSH server 2 then provide the access to the specific user to access that RemoteApp under user assignment and don’t allow under other App so that specific user
    can only access the assigned RemoteApp.
    Anyway for redirection of server is managed by RDCB and there are different ways now to handle such as DNS RR, NLB, Hardware Load balancer or Dedicated Farm redirection and it depends on you what you prefer for your environment.
    More detail.
    Introducing RemoteApp User Assignment
    http://blogs.msdn.com/b/rds/archive/2009/06/12/introducing-remoteapp-user-assignment.aspx
    Hope it helps!
    Thanks.
    Dharmesh Solanki
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Single Sign On and Command line

    Hi!
    We have application without any logon form which executed from command line by BAT file:
    app.exe Username Password par1 par2 ...
    where par1, par2... is parameters of application
    So question is: can Oracle Single Sign On set user credentials to the command line? Can we use OSSO for application without logon form?
    Thank you.

    SSO is for web apps, you could try to use OID to perform the autentification of your application but you should change your application so it looks for the users in LDAP.
    Greetings.

  • Sharepoint 2013 + Windows Server 2012 as reverse proxy

    Hello All -
    I'd like to ask if anyone has any experience with the new Windows Server 2012 (reverse) proxy, in providing a single sign-on service to Sharepoint 2013.
    Scenario:
    My client has a Sharepoint 2013 with 3 web applications (portal, teamsites, mysites). All three URLs are available externally via HTTPS only. All clients have AD credentials (no requirement for claims based authentication), although this includes 3 domains
    in two different forests (trusts exist). Everything is already configured to allow clients access from domain-joined devices.
    My client would like mobile devices (not domain-joined) to be able to access the three web applications without repeated logon prompts. Browser default settings must be used, they do not want to instruct people to perform any configuration on their mobile
    device - it all has to work "out of the box" from the client side. Clients will be using iPads and iPhones with Safari, Windows Phones, Androids etc.
    I'm considering proposing the use of a reverse-proxy, and rather than using the now depracated Forefront TMG or probably soon-to-be depracated UAG, I would like to jump straight in to the new and very cool looking Windows 2012 proxy server.
    It's my understanding that this will provide a single sign-on service in this scenario. I'm unsure whether an ADFS server is also required even for pass-through, the information available is unclear, and also whether any special configuration is required
    to a domain controller (DCs in the environment are all 2008R2, with 2008R2 functional level).
    I would appreciate it if anyone could give an overview or point me in the direction of some accurate documentation regarding all of the above. Most importantly, if any of my assumptions above seem incorrect, please let me know.
    Thank you!
    sysadmin

    I've heard no supportability statement with SharePoint and the Web Application Proxy (likely because it isn't GA yet).  However, it does use ADFS for SSO, so you'll have to SAML-enable your Web Applications.  The only downside to this is if you
    use anything that is SAML-unfriendly, like PowerPivot [Data Refresh] and at least in 2010, Visio Services and InfoPath Forms Services.
    Trevor Seward, MCC
    Follow or contact me at...
    &nbsp&nbsp
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • Can not display BI report in Web ui

    I created reporting profile with both bi and interactive reporting active and assigned to the business role functional profile
    I gave the BI connection client in the report that I wanted. When I select the report in webu ui, it's taking me to a sign on pad. I assume this for BI sign on pad and When i enter sign on, it's not taking me any where.
    This just a standard report in CRM My top 5 quotations. All necessary steps in basic bi connection, basic sales analytics are done too
    How does the the connection between BI and crm works?
    Please advise

    Hi Experts,
    We are using Webiu 2007 with BI 7. 
    We linked our sandbox to RWT system to test the report output. In my CRS, I have source system RWT defined and the same way in BI also we have assigned CRS to link these systems together. It is my understanding that when we select the report, we are just calling the from BI into CRM.  I have done the following steps in CRM
    1) Created reporting profile in CRM analytics as both BI and CRM interactive reporting activated
    2) Assigned this reporting profile to business role
    3) I selected My-Top-5 quotation report and gave the BI system in display  bi reports
    4) I can see the report on webui.
    Problem: When I selected the report,  a logon pad appears and I enter RWT user id and password, it's doing nothing.  But, I have another user who is logging in for the first time got an error "Error loading template "OTPLB_OCRM_QUTO_Q0001_1 notification number BRAIN276". When the same new user tried to login second or third time, it's not showing the error and nothing is happening when we enter userid and pass word.  But, we can logon to GUI RWT.
    We tried to pull a query view report and web template reports see if we can display data. The BI team gave me couple of info objects keys. 
    1) I created the report with object key and type as one for 3.x template and one for 3.x query view
    2) Created logical links for these two reports and selected these two reports in business role. Now the reports are showing in webui
    3) When I select any of these, it taking to a blank screen without any logon screen. 
    BW team says that these reports are running with data in their system.
    Can someone please help?

Maybe you are looking for

  • USB Over Current Notice - Macbook Pro 2006

    I had an external hard drive connected to one of my USB ports, and I think the AC Power adapter it was using flipped out. The drive no longer works at all. The port (front left) does not work with any devices (powereded or not) now, but the other two

  • How do I get a logo (jpeg) into the Pages header?

    I can´t manage to get a jpeg into the papers header. How do I do?

  • SAPSCRIPT : Line Printing Three Times?

    Here is the code: Anybody see why this would print three times? /E   HEADER_TEXT                                                               L    <H>   </>                                                                 /:   INCLUDE &EKKO-EBELN& OB

  • Log Reader Agent error "could not execute sp_replcmds' and causes stack dump

    Publisher/Subscriber db:  SQL 2008 R2, 2000 compatability mode Distributor database is on separate server. (note:  There is another database on this instance that is running replication without error, it is not in compatibility mode) After snapshot a

  • Events Definition in Adobe Interactive Form

    Hi, I have a requirement to define a Button and handle the appropiate action in my BADI. I found out the appropiate BADI's method(SCENARIO_PROCESS_USER_COMMAND).I can include my coding here based on the USER COMMAND value. Now, I would like the defin