Question : Group Policy to stop user from running explorer.exe

I have a win2003 standard server, terminal services is not running, I am using the admin RDP access, or what ever you call it. I have a user that I want to access this server remotely (over the internet), every time the user accesses the server it says the local policy of this system does not permit you to login interactively. Is i set him up as an administrator he can login, but he has access to the entire computer through explorer.

I have the user in his own ou and have setup his group policy to restrict everything that I can.
I try to keep explorer from running in the don't run specified windows applications but explorer still runs.

My goal is to have this user only run quick books running remote desktop and only that.

Help Please

Answer : Group Policy to stop user from running explorer.exe

Add the user to the "Remote Desktop Users" group on the local machine (instead of making him/her an Administrator). The Remote Desktop Users group is found in Computer Management (right-click on My Computer and go to "Manage") under System Tools/Local Users and Groups/Groups.

Another option is to go to Computer Properties (right-click My Computer and go to "Properties"), select the Remote tab, and under the "Remote Desktop" section, click on Select Remote Users. You can then add that user's account to the list of accounts which can log onto the machine.

Both of those things get the user into the computer without making the user an administrator; however, you're doing this on the local machine. The GPO (Group Policy Object) settings are found under Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment. The user right is "Allow log on through Terminal Services".

The next thing I would recommend is disabling the GPO you created for the user's OU and create a new GPO (so that you have "fresh" settings). You can restrict which applications users can access through a GPO. You can't restrict access to explorer.exe because that's the actual process that gives you your desktop, start menu, etc. You can, however, specify that the user can only run Quickbooks. To do this, in a GPO, go to User Configuration/Windows Settings/Security Settings/Software Restriction Polices. You'll have to right-click on the container and select "New Software Restriction Policies" and then you may have to confirm that you want to create them. Within this new policy, you can then specify which applications are allowed and which aren't.

Here's my disclaimer: Test this thoroughly. You'll find that you'll only allow Quickbooks to run, but then you'll find that Quickbooks needs two or three other processes in order for it to work. So, test it and see what happens.

The other thing you might want to do is rethink the idea of having someone remote directly into the server. Couldn't you set up Quickbooks on a WinXP box and have them access that? It would work exactly the same way (as the instructions I've outlined above).

Let me know how it goes....

<-=+=->

Random Solutions

Network Problem IP, RPC Server

unexpected shutdown error with Windows 2000 server

How to restore the initial configuration values of a modem Siemens MC35 T

Using XP Pro as server

DFS between SBS 2003 and 2008 Server - Possible?

Net Use * and having it map a search drive.

Windows Scripting

Lotus notes user cannot see one other user's free/busy time

secure smtp relay server

Email banner without getting caught in Spam