SOLVED

Remote Desktop Services

Brass Contributor

I implemented Remote Desktop Services on a Windows Server 2019 member of an Active Directory domain.
On The "RD session host" I created a session collection to publish some applications.
Now the "Resource type" of the collection is "RemoteApp Programs".
From a client I start Remote Desktop Connection (mstsc.exe) and I see that I can create a Remote Desktop session, enter the username and password of a generic domain user and access the whole of the desktop of the RD Session Host.
As a generic domain user i would expect to be able to connect only via Web Access, not via Remote Desktop Connection.
Is it a normal behavior?
Is there any error in the configuration of the RD session host, of the AD domain or of the Collection?
Regards

1 Reply
best response confirmed by Marius_Roma (Brass Contributor)
Solution

Hi @Marius_Roma,

yes, it is considered normal for users to connect to the full desktop of the RD Session Host using the Remote Desktop Connection client (mstsc.exe). The Remote Desktop Services role allows users to access either the full desktop or individual RemoteApp programs based on the configuration and user permissions.

If you wish to restrict users to using only RemoteApp programs without full desktop access, you can follow these steps:

1. User Configuration: Navigate to User Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Remote Desktop Session Environment. Enable and configure "Start program on connection" while disabling "Always show desktop on connection".

2. AppLocker: Use AppLocker to restrict unwanted applications.

3. RemoteApp User Assignment: Consider RemoteApp User Assignment, which displays a customized list of RemoteApp programs specific to the logged-on user in RD Web Access and RemoteApp and Desktop Connections.


Introducing RemoteApp and Desktop Connections - Microsoft Community Hub

RDS 2019 Server: ways to restrict Full RDP, Allow RemoteApp only. - Microsoft Remote Desktop Service...

Introducing RemoteApp User Assignment - Microsoft Community Hub

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)



1 best response

Accepted Solutions
best response confirmed by Marius_Roma (Brass Contributor)
Solution

Hi @Marius_Roma,

yes, it is considered normal for users to connect to the full desktop of the RD Session Host using the Remote Desktop Connection client (mstsc.exe). The Remote Desktop Services role allows users to access either the full desktop or individual RemoteApp programs based on the configuration and user permissions.

If you wish to restrict users to using only RemoteApp programs without full desktop access, you can follow these steps:

1. User Configuration: Navigate to User Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Remote Desktop Session Environment. Enable and configure "Start program on connection" while disabling "Always show desktop on connection".

2. AppLocker: Use AppLocker to restrict unwanted applications.

3. RemoteApp User Assignment: Consider RemoteApp User Assignment, which displays a customized list of RemoteApp programs specific to the logged-on user in RD Web Access and RemoteApp and Desktop Connections.


Introducing RemoteApp and Desktop Connections - Microsoft Community Hub

RDS 2019 Server: ways to restrict Full RDP, Allow RemoteApp only. - Microsoft Remote Desktop Service...

Introducing RemoteApp User Assignment - Microsoft Community Hub

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)



View solution in original post