Forum Discussion
mstsc.exe, GPO and RD Session Host
I need to understand the relationship between the "Deny log on through Remote Desktop Services" (or "Allow log on through Remote Desktop Services") and the properties of Collections defined on RD Session Hosts.
If a collection on an RD Session Host is configured as "RemoteApp Programs" should I insert the domain users in the "Allow log on through Remote Desktop Services"?
If a domain user is inserted in "Allow log on through Remote Desktop Services" how can I inhibit the use of mstsc.exe to simply access the desktop on the RD Session Host?
Wich policies and settings sould I set in order to:
- allow a domain user or group members launch applications publisched by a RD Session Host (with a collection configured as "RemoteApp Programs")
- inhibit the same domain user or group members from using mstsc.exe to access the desktop on the same RD Session Host
Regards
Hi Marius_Roma,
The "Deny log on through Remote Desktop Services" and "Allow log on through Remote Desktop Services" policies are utilized to manage user or group access to a Remote Desktop Session Host (RD Session Host) server.
If an RD Session Host collection is configured as "RemoteApp Programs," it is advisable to include domain users in the "Allow log on through Remote Desktop Services" policy to enable them to launch applications published by the RD Session Host.To prevent the use of mstsc.exe solely for accessing the desktop on the RD Session Host, you can tailor the "Allow log on through Remote Desktop Services" policy to only include users or groups requiring access to launch RemoteApp Programs. This strategy ensures users cannot log on to the RD Session Host server using mstsc.exe to access the desktop.
For granting domain users or group members permission to launch applications published by an RD Session Host with a "RemoteApp Programs" collection, configure the following policies and settings:
- Adjust the "Allow log on through Remote Desktop Services" policy to encompass the relevant domain user or group members.
- Set up the "RemoteApp Programs" collection on the RD Session Host, including the desired published applications.
- Configure the "RemoteApp Programs" collection to encompass the domain user or group members authorized to launch the published applications.
To restrict the same domain users or group members from using mstsc.exe to access the desktop on the RD Session Host, employ the following policies and settings:
- Utilize the "Deny log on through Remote Desktop Services" policy to specify the relevant domain user or group members.
- Configure the "RemoteApp Programs" collection on the RD Session Host, including the desired published applications.
- Adjust the "RemoteApp Programs" collection to include the domain user or group members authorized to launch the published applications.
Here are some useful links:
mstsc | Microsoft Learn
winaero.com
woshub.comPlease click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Hi Marius_Roma,
The "Deny log on through Remote Desktop Services" and "Allow log on through Remote Desktop Services" policies are utilized to manage user or group access to a Remote Desktop Session Host (RD Session Host) server.
If an RD Session Host collection is configured as "RemoteApp Programs," it is advisable to include domain users in the "Allow log on through Remote Desktop Services" policy to enable them to launch applications published by the RD Session Host.To prevent the use of mstsc.exe solely for accessing the desktop on the RD Session Host, you can tailor the "Allow log on through Remote Desktop Services" policy to only include users or groups requiring access to launch RemoteApp Programs. This strategy ensures users cannot log on to the RD Session Host server using mstsc.exe to access the desktop.
For granting domain users or group members permission to launch applications published by an RD Session Host with a "RemoteApp Programs" collection, configure the following policies and settings:
- Adjust the "Allow log on through Remote Desktop Services" policy to encompass the relevant domain user or group members.
- Set up the "RemoteApp Programs" collection on the RD Session Host, including the desired published applications.
- Configure the "RemoteApp Programs" collection to encompass the domain user or group members authorized to launch the published applications.
To restrict the same domain users or group members from using mstsc.exe to access the desktop on the RD Session Host, employ the following policies and settings:
- Utilize the "Deny log on through Remote Desktop Services" policy to specify the relevant domain user or group members.
- Configure the "RemoteApp Programs" collection on the RD Session Host, including the desired published applications.
- Adjust the "RemoteApp Programs" collection to include the domain user or group members authorized to launch the published applications.
Here are some useful links:
mstsc | Microsoft Learn
winaero.com
woshub.comPlease click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
