by Mikael Henriksson
27. January 2009 18:59
My first try at this was to just let the user run a program set from "environement" under Users & Computers. It works ok, but the users where not satisfied with having to relogin if my application crashed. Second try was today and it's not completely finished but I'm getting there. Since the users are logging on to the server from thin clients I dont want them to be able to change anything on the server. Thats why I only allowed a program to be run in the remote desktop session. As soon as the application ended the remote desktop session ended.
Now this is how you do it!
- Download and install FC81887&displaylang=en" title="Group Policy Management Console">Group Policy Management Console
- Create a new security group in "Users & Computers"
- Open up gpmc.mmc and create a new policy, preferably named like the the security group so that I may easily be able to distinguish it.
- Add the newly created security group to the policy and make sure the group has read and apply rights to the policy.
- Remove most things from Start Menu, Windows Explorer and desktop. I might also like now want to remove access to control panel and task manager.
- Make sure that I hide the system drive (C:\) and have the users run their applications from let's say the D: drive with full access to a particular folder.
- Create a .vbs script to launch the application
- Place a shortcut to the application should it crash
- Do a policy update "cmd.exe gpupdate /force"
I found a great article to help me out. I did need to change a few things in the script though this is what my script looks like.
On Error Resume Next
Set fs = CreateObject ("Scripting.FileSystemObject")
Set WshShell = WScript.CreateObject ("WScript.Shell")
'Get the username and profile directory
MUser = WshShell.ExpandEnvironmentStrings ("%USERNAME%")
MUserProfile = wshShell.ExpandEnvironmentStrings("%USERPROFILE%")
'Delete icons
fs.DeleteFolder MUserProfile & "\Start Menu\Programs\Accessories",True
fs.DeleteFile MUserProfile & "\Start Menu\Programs\*.lnk"
'Run the app
wshShell.Run "D:\Company\bin\%USERNAME%\Application\app.exe"
' Connect to wmi
set objWMIService = GetObject("winmgmts:root\cimv2")
Do
found = false
' List the processes
strQuery = "Select * from win32_process where name='app.exe'"
set colProcesses = objWMIService.ExecQuery(strQuery)
for each proc in colProcesses
' Get the reference class linking processes to sessions to get the session object path
strQuery = "References of {win32_process.handle='" & proc.handle & "'} where ResultClass=Win32_SessionProcess"
set colSessionReferences = objWMIService.ExecQuery(strQuery)
for each oSessionReference in colSessionReferences
'Get associators of the session object that are user accounts (linked by win32_loggedonuser)
strQuery = "Associators of {" & oSessionReference.antecedent & "} where AssocClass=win32_LoggedOnUser"
set colUsers = objWMIService.ExecQuery(strQuery,,48)
for each user in colUsers
if user.name = MUser then found = true
next
next
next
Loop While found = true
'Run the Windows 2003 logoff utility
wshShell.Run "c:\windows\system32\logoff.exe"
Sweet! All done! Thanks a bunch to Amit Zinman
Subscribe