Restricting to Desktop

Similar Messages

• Export security restrictions on Desktop software

  A friend in Namibia has asked me to send version 4.5 of the desktop manager for their blackberry curve (everytime they try to download it, their internet crashes).  Is Namibia a restricted country?  Can I legally send a copy to him? 
  I know that Namibia is not shown in teh country list at www.blackberry.com, but I don't know what that means...
  Thanks for any guidance you can provide!

  legally, you can do that as far as I know.
  The search box on top-right of this page is your true friend, and the public Knowledge Base too:

• Lync Application and Desktop Sharing - Restrict remote access/Telnet

  I have a customer and they are paranoid about using Lync application/desktop sharing which could potentially enable remote users from getting into their internal IT systems.  They are asking if we could restrict application/desktop sharing specifically
  for appls with remote access capabilities (e.g. Telnet, etc.)? Anyone could share any information relating to this? Thanks!

  We can’t do this with Lync Server natively. Maybe you want to vote idea at
  http://lync.ideascale.com/a/dtd/Limit-AppSharing-for-specific-applications/467874-16285
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found
  there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Lisa Zheng
  TechNet Community Support

• [Forum FAQ] Restrict number of Active Sessions in RDS 2012 and 2012 R2

  As everyone knows with the introduction of Windows Server 2012 & 2012 R2, there are various changes and no more availability for RDSH configurations or Remote Desktop Service Manager;
  now we can manage all the settings under Server Manager and group policy.
  Configuration 1: Remote Desktop Timeout settings:
  Here, we will see the Remote Desktop timeout settings. You can maintain the settings under below mention path (Figure 1 and Figure 2).
  Open the
  Server Manager, select Remote Desktop Services.
  In Remote desktop Services, in right side you can drop down to
  collections.
  Select the
  collection which you want to edit the settings.
  Under
  collections Properties, select Task and then Edit Properties.
  In Properties dialog box, select
  Session.
  You can find all the
  timeout settings under session collection properties; edit according to your requirements and then
  OK.
  Figure 1: Selecting Collection Properties
  Figure 2: Configuring screen for Timeout and reconnection Settings
  Group policy setting:
  The same settings can also be applied by Group Policy.
  You can also configure timeout and reconnection settings by applying the following Group Policy settings, you can check the figure 3 for graphical view.
  Set time limit for disconnected sessions
  Set time limit for active but idle Remote Desktop Services sessions
  Set time limit for active Remote Desktop Services sessions
  End session when time limits are reached
  In addition to this another group policy available with the help of which you can bale to set time limit for logging off the RemoteApp according to our desired time. This setting
  can be applied with addition to above mentioned policy.
  Set time limit for logoff of RemoteApp Sessions
  These Group Policy settings are located in the following locations:
  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits
  User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits
  These Group Policy settings can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC).
  Note:
  These Group Policy settings will take precedence over the settings configured in Remote Desktop Session Host Configuration. If both the Computer Configuration and the User Configuration policy
  settings are configured, the Computer Configuration policy settings take precedence.
  Figure 3: Group Policy for setting Timeout and reconnection setting
  Configuration 2:
  Restrict & Enable user to a single & multiple session
  Under Windows Server 2012 & 2012 R2, there is no specific setting under RDP-TCP as it is not available.
  Restrict User to Single session:
  To restrict the user to single session (Disable Multiple RDP Session) you can configure the setting under group policy (Figure 4).
  Computer Configuration\ Administrative Templates\ Windows Components\ Remote Desktop Services\ Remote Desktop Session Host\ Connections
  Restrict Remote Desktop Services users to a single Remote Desktop Services session     Enabled
  Figure 4: Group policy for Restrict user to Single session
  Enable user to multiple session:
  To enable the user to multiple session you can configure the setting under below (Figure 5).
  Computer Configuration\ Administrative Templates\ Windows Components\ Remote Desktop Services\ Remote Desktop Session Host\ Connections
  Restrict Remote Desktop Services users to a single Remote Desktop Services session     Disabled
  Figure 5: Group Policy for Enable user to Multiple Session
  In addition you can also edit the registry setting for allowing multiple RDP session as per below (Figure 6).
  HKEY_Local_Machine\SYSTEM\CurrentControlSet\Control\Terminal Server
  fSingleSessionPerUser     REG_DWORD     0x00000000
  Note: By default the registry value is set to 1, but you need to change to 0.
  Figure 6: Display the registry settings
  Also you can edit the policy “Limit number of connections” and set RD Maximum collection as per your company
  requirements (Maximum limit: 999999) for above mention group policy path (Figure 7).
  Figure 7: Group Policy for Limit number of Connections
  Apart from this, if you have not specified any policy or registry setting and still you want to restrict the new session, then in Windows Server 2012 & 2012 R2 there is option where you
  need to follow below steps (Figure 8 and Figure 9).
  Right click a Remote Desktop Session Host in specified location of Host Server and select “Do not allow new connections”.
  After clicking that it will ask you for your confirmation, click yes and no new connection will be allowed.
  Figure 8: Setting displaying “Do not allow new connections”
  Figure 9: Confirmation popup
  RD Gateway Connection Properties:
  If you have deployed RD Gateway under your environment you can also limit the number of simultaneous connections through RD Gateway by configuring
  policy under RD Gateway Manager. For this you need to follow below mention path.
  Open RD Gateway Manager, select the server which you want to modify.
  Right click Properties.
  Under General Tab
  -Limit maximum allowed simultaneous
  connections to:Specify the number of connection you want to able to provide connection.
  -Allow the maximum
  supported simultaneous connections:This
  setting will allow maximum supported connections at a time.
  -Disable new connections:This
  setting will not allow new connections through RD Gateway but Active connection will not be automatically disconnected.
  Select the option as per requirement which able to allow the connection
  Figure 10: Connections setting under RD Gateway Manager
  Configuration 3: Configure keep-alive connection interval
  As per above mention in initial post you can able to change the setting for Keep alive connection interval. In addition to this also verify the
  registry setting must be set as per following (Figure 11 and Figure 12).
  HKEY_Local_Machine \ SOFTWARE \ Policies \ Microsoft \ Windows NT \ Terminal Services
  KeepAliveEnable       REG_DWORD           0x00000001 (1)
  KeepAliveInterval     
  REG_DWORD           0x00000001 (1)
  Figure 11: Group Policy setting for Keep alive
  Figure 12: Registry setting for keep alive
  If you need further assistance, welcome to post your questions in our
  Remote Desktop Services (Terminal Services) forum.
  If you would like to achieve this in Windows Server 2008 or Windows Server 2008 R2, please move on to the next post.

  Applies to Windows Server 2008 and Windows Server 2008 R2
  Configuration 1: Remote Desktop Timeout settings:
  1. Open the property dialog for RDP-Tcp connection in Remote Desktop Services Manager.
  2. In the Sessions tab, you can configure the following settings:
  Active Session Limit
  Idle session limit
  Action when session limit is reached or connection is broken
  End a disconnected session
  Additionally, you can configure the settings with the help of Group Policy also by below mention path.
  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits
  User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits
  Configuration 2: Restrict each user to a single session
  By using this configuration or policy setting, each user can only maintain one session to the certain terminal server; when another session is started by the same user, the original one will
  lose the connection. In that way, the total number of possible active sessions won’t exceed the total remote users. You can implement this as below mention steps.
  Remote Desktop Host (RDP-Tcp) configuration:
  Edit Settings – Restrict each user to a single session: Yes
  Group Policy: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop
  Services (Terminal Services)\Remote Desktop Services Session Host (Terminal Server)\Connections\
  Restrict Remote Desktop Services (Terminal Services) users to a single remote session:    Enabled
  Configuration 3: Configure keep-alive connection interval
  By specifying the minutes that the TS holds a remote session actually disconnected, the server will detect the session status after each period. The session that are actually offline will
  be changed to disconnected status:
  Group Policy:  
  Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services (Terminal Services)\Remote Desktop Services Session Host (Terminal Server)\Connections\
  Configure keep-alive connection interval:         Enabled and Specify the Value
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

• How to disable or remove Remote Desktop in Windows 7 Pro

  Hello,
  I need to be able to disable, turn off, uninstall, or restrict Remote Desktop Connection completely on student laptops running Windows 7 Pro. The students do not take their laptops home.
  Can someone please assist me with a definite way to remove the possibility of it's use by students?
  Thank you

  Hi,
  Check this KB: How to disable Remote Desktop by using Group Policy
  You can also use the Applocker feature to block the remote desktop program or don't run specified Windows applications
  Revue du Geek |
  Déployer Windows 7 avec MDT 2010

• Enabling remote desktop access to a simple windows 2012 datacenter edition server

  Hi,
  I am a complete noob to server administration. I installed a windows 2012 server initially as a workgroup. All i need is to enable a user to remotely access my server(using remote desktop). The firewall that I use is Gibraltar.
  I read that to enable remote desktop services my server has to be part of a domain. So i promoted my server to a domain name controller. Using active directoty I added a user to the domain. I also read that to make remote desktop more secure, I have to request
  the user to login through a VPN. 
  Now here is where I am completely lost. Do i really need to move my server to a domain, if the user just wants access to this server and nothing else? Should i restrict remote desktop access only through VPN
  and if so, how can i do that? Further, the server dashboard gives me notifications about 'remote desktop licensing' not configured. We got the software as a campus licensing and I am not sure how to configure the remote license server. Any opinions are highly
  appreciated.

  If you're just trying to setup this to allow administration access then I don't believe you need it to be a member of a domain. There's a difference between allowing remote desktop access for administration, and setting up full terminal services access for
  multiple users. The latter requires a lot more work and licensing unlike the former.
  To simply allow admin access, open an explorer window and right click on Computer, then select properties. In the System window that appears, click Remote settings on the left. Now in the bottom half of the window select "Allow remote connections to this
  computer" and leave the option requiring NLA in place. Click Select Users..., you'll see that the administrator user already has permissions to connect, so if you're only planning to connect with that then you're finished, otherwise find those users you
  want to grant access.

• A Sysprep question on SID changes

  Hello,
  I have an issue with Sysprep and the Generalize option in WIN 7.
  According to all M/S conventional wisdom I need to run this pass to remove COMPUTER NAME and SID's on a machine that I am going to deploy to the field multiple times.  I have created on the image a local user with restriction on desktop access
  via an LGPolicy.  Sort of like a Kiosk in a mall.
  When I run the GENERALIZE option, I lose the LGP restrictions on the local user because of the SID change.  Now I know after reading a metric-boatload of email and forum threads about being able to copy the .pol files and the USER/MACHINE folders
  to the new machine...  basically I've tried and it doesn't really work without alot of extra work after the fact.  Now I know stuff  like this can be scripted for automation... but I would like to shake the trees and get a response from the
  community to this thought...
  Why do I need to change the SID's on a machine that will NEVER connect to the network behind the firewall, only thru a VPN. All applications a client/server based and or Web based.  So there is no need to ID the machine or the user.  Since the
  user logs in via the VPN.  It is joined to the domain upon Imaging for any updates etc.. and registered in AD,  but after that it will NEVER touch the domain unless it is through a VPN. SO WHY RUN THE GENERALIZE PASS AT ALL?? Other than changing
  the computer name.. which I can do elsewhere. I dont need the SID change.
  This machine is used as a Mobile Data Terminal in a Public Safety environment, so I want to lock it down and have it autologin to a user upon powerup/reboot.  I do this to keep it simple for the officers to use.
  I have an Image that works, I just want to clone it to the field.
  any thought from the assembled masses??
  Warren Harris
  City of Dallas Mobile Technology Center

  Are you using Windows 7 Embedded or Enterprise?
  On a retail desktop OS, there shouldn't be any user accounts created at the time if you deploy your source OS to Audit Mode by default. I would then create a user group and assign policies to that group. Then when you sysprep the machine, the user account
  you create, specify the Group name you created (as opposed to Users or Administrators) and see if the changes still remain.
  Note that I have not actually set a local security policy in an image before. I just did a test where I disabled the UAC's Secure Desktop while in Audit Mode and did a sysprep/generalize and the setting was NOT lost. I tested on Windows 7 Ultimate SP1 x64.

• Another user of your computer is currently using this connection. This user must disconnect before you can log on.

  Hello
  I have a single computer that is going to be shared between 5 people. In an effort to save time. I wanted the users to have a single shared LOCAL login to the computer.
  Then each user could pull up an RDS session through RDWEB on our 2012 r2 RDS farm.
  However, when I attempt to log in more than one user through RDWEB I receive:
  Another user of your computer is currently using this connection. This user must disconnect before you can log on.
  I have done some research on this, and followed this advice, and did the following steps on all my RDS session host and broker servers
  Enable Multiple RDP Sessions
     -  Log into the server using Remote Desktop.
     - Open the start screen (press the Windows key) and type gpedit.msc and open it
     - Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections.
     - Set Restrict Remote Desktop Services user to a single Remote Desktop Services session to Disabled.
     - Double click Limit number of connections and set the RD Maximum Connections allowed to 999999.
  However, it did not solve the problem. Anyone have suggestions?

  Hi Michael,
  In addition you can try below registry setting for multiple remote session.
  HKEY_Local_Machine\SYSTEM\CurrentControlSet\Control\Terminal Server
  fSingleSessionPerUser     REG_DWORD     0x00000000
  Note: By default the registry value is set to 1, but you need to change to 0.
  Also if you are making connection through gateway then recheck whether the setting is enabled on gateway side for multiple session.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Cannot log back into a disconnected RD session

  I have a 2012 R2 domain server that I RD into frequently. None of the GPO's I have are effecting RD. I need to have the ability to disconnect a RD session and reconnect to the same session. It seems like after about 20min the disconnected session just disappears
  and anything i had running in it closes. I have tried setting the local policies without luck. secpol > local policies > security options > Microsoft network server: Amount of idle time required before suspending session to 1440.
  gpedit.msc on local machine
  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\ all to disable
  User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\ all to disable
  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Configure keep-alive connection interval to Disabled
  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Restrict Remote Desktop Services users to a single Remote Desktop Services session  to Enable
  I have tried to add remote desktop services\remote desktop session host but it wants a license server and this is only on a local machine. How can i get the ability to log back into a disconnected RD session. Like we were able to do before 2012?
  Thanks in advance for your help.
  Thanks for your help

  Hi,
  The behavior could be caused by domain group policy settings, I would suggest you double check group policy settings by running command below:
  GPresult /h filepath:filename.
  More information for you:
  Gpresult
  https://technet.microsoft.com/en-us/library/cc733160.aspx?f=255&MSPPError=-2147217396
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• X305-Q705 - GPU and CPU upgrades possible?

  Question 1:
  I know that on some models have 2 GPUs.
  How can I upgrade the 9700M GTS and can I use crossfire or SLI?
  Question 2:
  What is the CPU I can buy for my laptop?
  Many thanks,
  Zyon

  Raver. What makes you think SLI is restricted to desktops only? There are plenty of notebooks out there with dual GPUs in SLI configuration including higher spec versions of this one. The x305-q706 has dual 9700m GTS's in SLI
  This notebook will support most dual and quad Penryn processors upto QX9300. but upgrading will be trouble because the motherboard has to be removed first because there is no easy access to the CPU from underneath the notebook.
  But ravers right with not needing to upgrade, It has plenty of power at the moment.

• RDP with shadow switch on 2008 R2

  I have a problem with accessing remote session on Windows Server 2008 R2 by using this command:
  mstsc /v:172.20.0.1 /shadow:2
  Session ID is correct. The command is executed from another 2008 R2 server. On both there is the newest mstsc version 6.3.9600 (Remote Desktop Protocol 8.1 supported). While trying to connect this error occurs:
  Shadow Error
  The version of Windows running on this server does not support user shadowing.
  On the RDSH I have set up these options:
  Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections
  Policy: Set rules for remote control of Remote Desktop Services user session
  Setting: Enabled
  Options: Full Control with user's permission
  Policy: Restrict Remote Desktop Services users to a single Remote Desktop Services session
  Setting: Enabled
  There is no problem to connect to Windows Server 2012 R2 with these settings.

  Hi,
  Thank you for posting in Windows Server Forum.
  Did you find any particular error\event id for your case?
  You might also face the error if you are trying to shadow when Aero is enabled. As the error occurs because Aero is not supported within a shadowed session. To work around this issue, do not attempt to shadow a client with Aero enabled.
  Also please check below steps.
  SYMPTOMS
  Consider the following scenario:
  1. You start a Remote Desktop session to a Remote Desktop server from a computer that is running Windows Server 2008 R2 or Windows 7. 
  2. You remotely control another Remote Desktop session. This is known as "shadowing." 
  3. You run an application that displays bitmaps in the remotely controlled Remote Desktop session. For example, you open a Control Panel item. 
  In this scenario, the remote control session fails, and you receive the following error message:
  "Because of a protocol error, this session will be disconnected. Please try connecting to the remote computer again."
  CAUSE
  The issue occurs because Remote Desktop Connection (RDC) 7.0 does not handle the monochrome bitmap pattern brush correctly.
  RESOLUTION:
  Please refer to the hot-fix KB:
  Error message when you shadow a remote desktop service session in Windows Server 2008 R2 or in Windows 7: "Because of a protocol error, this session will be disconnected. Please try connecting to the remote computer again."
  http://support.microsoft.com/kb/2273487/en-us
  Please install the hot-fix to see whether the issue still exists.
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• Policy Issue

  Hi
  I have a normal user policy apply at the OU level to restrict some desktop
  setting like accessing control panel, changing wallpaper, and so for, and
  the OU container has 10 users which get the normal user policy applying
  onto their desktop everytime they login on to the systems. One of the
  users in this container is a superuser, So i created a policy called Admin
  user policy and applied to his account only. When he login , he still
  getting the normal user policy applied to him. Is there a way to filter
  off the normal user policy from container level so that it only apply to
  the rest of the users except him.

  Specifically Reverse the more restrictive policies in the Admin Policy.
  "Chee Ang" <[email protected]> wrote in message
  news:fz3Bi.1784$[email protected]..
  > Hi
  >
  > I have a normal user policy apply at the OU level to restrict some desktop
  > setting like accessing control panel, changing wallpaper, and so for, and
  > the OU container has 10 users which get the normal user policy applying
  > onto their desktop everytime they login on to the systems. One of the
  > users in this container is a superuser, So i created a policy called Admin
  > user policy and applied to his account only. When he login , he still
  > getting the normal user policy applied to him. Is there a way to filter
  > off the normal user policy from container level so that it only apply to
  > the rest of the users except him.
  >

• Trying to calibrate 17" screen AND Cinema Display 20"; 17" is way off

  I've just bought an Apple Cinema display and calibrated it using Eye One software and calibration device. The color on the 20" seems accurate. When I create a profile on the PB the resulting color in NO WAY matches the 20" Display. I would have thought a calibration device would see the difference in color each display emits and produce a "neutral" profile. I know the PB display will have less luminosity and contrast, but the colors are so much warmer, redder.
  I wonder if I should just do it by eye -- as all I really want is for them to be close (and us the 20" for photo retouching...
  Any thoughts?
  Thanks!

  It can be very difficult to get an LCD monitor screen to match an LCD notebook screen because they are, in many ways, like cats and dogs. Because of the need to run for a reasonable amount of time from a battery, a notebook display has to be a low power device. They typically operate at less than 10 watts. Lacking that restriction, a desktop monitor can have more backlights, brighter backlights and thicker color filter material, which results in extended color gamut, compared with a notebook screen. So trying to make two such devices color match can be a fruitless exercise. I like your idea of eyeballing it. Ironically, you might get a better result than a color calibrator.

• No disconnect warning when multiple remote users use same username and password to logon to VM

  I created a single user account to be used by multiple users to access a system consisting of multiple VMs. The problem is that when User #1 has an active session and User #2 attempts to log onto the same VM User #1's session is ended without
  warning. Now if User #1 has an active session and User #2 attempts to log onto the same VM using different credentials a [Remote Desktop Connection] dialog displays alerting User #1 that User #2 wants to connect and gives an option to disconnect or stay connected.
  Realizing that the latter preferred behavior is because the two Users are using different credentials I would like to know if the same preferred behavior of alerting the Users of active connections can be enabled for instances when both Users are using
  the same credentials - perhaps by recognizing that their remote ips are different or something.

  not sure if this fits your case exactly. there was another similar question asked in the forum and the solution was:
  You may set this via group policy, for example, in the server's local policy using gpedit.msc:
  Computer Configuration\ Administrative Templates\ Windows Components\ Remote Desktop Services\ Remote Desktop Session Host\ Connections\
  Restrict Remote Desktop Services users to a single Remote Desktop Services session     Disabled
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/a26af954-c2ef-4beb-b892-9e7717518850/allowing-users-to-open-multiple-remote-sessions-on-windows-server-2012-rds?forum=winserverTS

• RDP Causing multiple logins on one user

  So recently, whilst adjust my wamp server, RDP decided to do something I have not yet experienced. i have my system set with a password and set to auto login to the only active user. but now, after doing nothing related to users/logins or RDP, when i open
  an rdp session, it acts like it is loging in for the first time (all startup programs...start) and it doesnt log out the main session, thusly causing it to run 2 of all the programs, which is causing conflicts.
  Thanks for any help.

  Hi,
  Here for your issue, I can say that you can check the connection settings of RDSH server under group policy. You can set in Server’s local policy using
  gpedit.msc for this setting “Restrict Remote Desktop Services users to a single Remote Desktop Services session” under below mention path.
  Computer Configuration\ Administrative Templates\ Windows Components\ Remote Desktop Services\ Remote Desktop Session Host\ Connections\
  In addition you can also try to edit server’s registry setting.
  HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
  fSingleSessionPerUser     REG_DWORD     0x00000000
  Refer below article for more information: (you can refer for GPO setting)
  Restrict Users to a Single Session
  http://technet.microsoft.com/en-us/library/cc754762.aspx
  Hope it helps!
  Regards.