2 questions regarding terminal services

royalroyal Member Posts: 3,352 ■■■■□□□□□□
1. I have terminal services set to automatically open c:\windows\system32\calc.exe when a user logs onto their terminal services session. This works fine and users can only see calc.exe and nothing else. When they close calc.exe, why isn't it logging the user out? I have tried this on 2 different labs and same thing.

2. I log onto a domain user who is in the remote desktop users group. He can log onto his machine fine. Now, that user uses RDC to log into his terminal services session which he logs into fine. Now, this user can view active directory users & computers, etc.... I know I can lock this down in group policy but that would affect both console logon to their own machine and to their terminal services session. How can I lock their terminal services session down where it wont affect their console session. Also, when they do the terminal services session to the server, they have access to the shut down button through their start button instead of disconnect. Why isn't the terminal services session being locked down? Thanks.
“For success, attitude is equally as important as ability.” - Harry F. Banks


  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Still dunno how to solve #1

    I did figure out how to solve #2. I put my terminal server into its own OU. Then applied a new GPO to that OU and assigned group policy settings to the user section like don't show control panel. At first I was like why aren't any of the user settings such as disable the control panel working. This is because it is a server and you have to turn loopback processing gpo to enabled for those gpo settings to be applied to terminal service connecting users. Would've been nice if the MSPRESS/Sybex/CBT Nuggets spoke of the loopback processing setting would've mentioned how to get GPO settings apply to connecting users by using the loopback processing.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    That's good info icroyal, thanks. I didn't really understand your issue and didn't have time to query you for more info when I first saw your post.

    I had to use the GP Loppback as well, because I have a standard GPO that says all users get the same 10 minute/pw protected screensaver. However I have an OU with a few computers that are used in meetings for presentations (conference rooms) that we didn't want to have a p/w protected screensaver kick on regardless of who logged in (they could sit and talk about a slide for 30 minutes sometimes) so by setting the GP loopback processor to use machine policy over user policy (replace mode) I was able to accomplish that.

    RE question #1 - Have you set this option in Computer or User config? Computer config overrides, so make sure you have it set there to "not configured" if you only want this to happen for specific users.

    As a workaround, try creating a batch file that opens calc with a start /w option and on the next line use "shutdown -l -f". It would look like this:

    start /w calc.exe
    shutdown -l -f

    Have the GPO start the batch file instead of calc. It should open calc and wait until it closes to run the next line, which is a logoff.
    All things are possible, only believe.
Sign In or Register to comment.