user give to access only on Remote app not on a remote desktop(GUI)

Question

Dear Sir & Madam,

We are created domain & deploy the Remote application (RDP APP) & same app share with multiple client. But client is not in our domain.
i want to user restrict on Remote desktop GUI mode its only allow to access on RDP app.

i know both are base on same role.
Please suggest.

Answer 1

Hi,
Based on my search, there isn't an "officially sanctioned" way to do this because by design users who have access to RemoteApp will have Remote Desktop access because same permissions apply to both services, actually both services are mostly the same. When a user starts a RemoteApp he is actually loggin on to the server, but can only see the application, and not the rest of the desktop.
But you could do something silly like use Group Policy to set the user's shell to be "logoff.exe" such that if they attempted to access the machine's desktop they'd be immediately logged-off.
Please refer to the information below:
Prevent log on to RDS Server Full Desktop
https://social.technet.microsoft.com/Forums/en-US/217841fc-4be1-49f9-8807-feec70b3e128/prevent-log-on-to-rds-server-full-desktop?forum=winserverTS#7f83a476-9a24-4071-a2c7-4d53b13f060d
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

Answer 2

Hi,

I create a logon script that verify current user processes finding by explorer, that run only on remote desktop connections. If explorer match, I get user groups on AD and check if it belongs to a specific group, create for this purpose, so i exit script or call the logoff.exe closing this session.

The script

$processes = Get-Process | ? {$_.SI -eq (Get-Process -PID $PID).SessionId}

foreach($p in $processes){
    
    if($p -like '*explorer*'){

        Write-Output 'Remote Desktop'
        
        $token = [System.Security.Principal.WindowsIdentity]::GetCurrent() 
        ForEach($group in $token.Groups){
            $groupName = $group.Translate([System.Security.Principal.NTAccount])
            if($groupName -like "*Specific_group"){
                Write-Host "You are authorized"
                exit
            }
        }

        Write-Host "You are unauthorized"
        & "C:\Windows\System32\logoff.exe"
    }
}

Write-Output 'Remote App'

Answer 3

Hi,

Great idea. I would like to ask for guidance on how to implement the following logon script on a terminal server, as I am not entirely clear on the process.
Could you provide some insights on best practices for running this script in a terminal server environment and any considerations I should be aware of ?