user give to access only on Remote app not on a remote desktop(GUI)

Rahul Borate 21 Reputation points
2021-03-09T07:40:01.22+00:00

Dear Sir & Madam,

We are created domain & deploy the Remote application (RDP APP) & same app share with multiple client. But client is not in our domain.
i want to user restrict on Remote desktop GUI mode its only allow to access on RDP app.

i know both are base on same role.
Please suggest.

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,368 questions
Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,526 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,105 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,232 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Carl Fan 6,836 Reputation points
    2021-03-10T08:02:14.003+00:00

    Hi,
    Based on my search, there isn't an "officially sanctioned" way to do this because by design users who have access to RemoteApp will have Remote Desktop access because same permissions apply to both services, actually both services are mostly the same. When a user starts a RemoteApp he is actually loggin on to the server, but can only see the application, and not the rest of the desktop.
    But you could do something silly like use Group Policy to set the user's shell to be "logoff.exe" such that if they attempted to access the machine's desktop they'd be immediately logged-off.
    Please refer to the information below:
    Prevent log on to RDS Server Full Desktop
    https://social.technet.microsoft.com/Forums/en-US/217841fc-4be1-49f9-8807-feec70b3e128/prevent-log-on-to-rds-server-full-desktop?forum=winserverTS#7f83a476-9a24-4071-a2c7-4d53b13f060d
    Hope this helps and please help to accept as Answer if the response is useful.
    Best Regards,
    Carl

    0 comments
  2. Lucas Antunes 0 Reputation points
    2023-05-09T14:52:26.02+00:00

    Hi,

    I create a logon script that verify current user processes finding by explorer, that run only on remote desktop connections. If explorer match, I get user groups on AD and check if it belongs to a specific group, create for this purpose, so i exit script or call the logoff.exe closing this session.

    The script 

    $processes = Get-Process | ? {$_.SI -eq (Get-Process -PID $PID).SessionId}

foreach($p in $processes){
    
    if($p -like '*explorer*'){

        Write-Output 'Remote Desktop'
        
        $token = [System.Security.Principal.WindowsIdentity]::GetCurrent() 
        ForEach($group in $token.Groups){
            $groupName = $group.Translate([System.Security.Principal.NTAccount])
            if($groupName -like "*Specific_group"){
                Write-Host "You are authorized"
                exit
            }
        }

        Write-Host "You are unauthorized"
        & "C:\Windows\System32\logoff.exe"
    }
}

Write-Output 'Remote App'
    0 comments