Forum Discussion

Marius_Roma's avatar
Nov 12, 2023
Solved

mstsc.exe, GPO and RD Session Host

I need to understand the relationship between the "Deny log on through Remote Desktop Services" (or "Allow log on through Remote Desktop Services") and the properties of Collections defined on RD Ses...
  • LeonPavesic's avatar
    Nov 13, 2023

    Hi Marius_Roma,

    The "Deny log on through Remote Desktop Services" and "Allow log on through Remote Desktop Services" policies are utilized to manage user or group access to a Remote Desktop Session Host (RD Session Host) server.
    If an RD Session Host collection is configured as "RemoteApp Programs," it is advisable to include domain users in the "Allow log on through Remote Desktop Services" policy to enable them to launch applications published by the RD Session Host.

    To prevent the use of mstsc.exe solely for accessing the desktop on the RD Session Host, you can tailor the "Allow log on through Remote Desktop Services" policy to only include users or groups requiring access to launch RemoteApp Programs. This strategy ensures users cannot log on to the RD Session Host server using mstsc.exe to access the desktop.

    For granting domain users or group members permission to launch applications published by an RD Session Host with a "RemoteApp Programs" collection, configure the following policies and settings:

    1. Adjust the "Allow log on through Remote Desktop Services" policy to encompass the relevant domain user or group members.
    2. Set up the "RemoteApp Programs" collection on the RD Session Host, including the desired published applications.
    3. Configure the "RemoteApp Programs" collection to encompass the domain user or group members authorized to launch the published applications.

    To restrict the same domain users or group members from using mstsc.exe to access the desktop on the RD Session Host, employ the following policies and settings:

    1. Utilize the "Deny log on through Remote Desktop Services" policy to specify the relevant domain user or group members.
    2. Configure the "RemoteApp Programs" collection on the RD Session Host, including the desired published applications.
    3. Adjust the "RemoteApp Programs" collection to include the domain user or group members authorized to launch the published applications.

    Here are some useful links:
    mstsc | Microsoft Learn
    winaero.com
    woshub.com

    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic
    (LinkedIn)

Resources