Allow Remote Start Of Unlisted Programs Group PolicyDownload Free Software Programs Online11/13/2016 Configure Remote Desktop through Group Policy. Any time I can set something to be centrally managed, I'll do it. Group Policy is the best way to do that for Windows Servers, and we can configure Remote Desktop within Group Policy. The good news is that it is really easy to deploy for a computer account, and can be done centrally with a Group Policy Object that applies to computer accounts. This configuration is shown in Figure A below. Figure AClick image for larger view. For scaling reasons, we have a few ways on how this GPO can be pushed to server computer accounts.
The “Allow users to start both listed and unlisted programs on initial connection” setting is not. Session shadowing cannot be established. The “Always Show Desktop on Connection” setting in Group Policy is.Microsoft RDS Policies explained (Part 2). I will start with the policy options available on Computer Configuration. When opening the Remote Desktop Services pane within the Group Policy Editor you will see three. RDP Initial Application Cannot be Started when Connecting to Windows Server 2008 Terminal Server. Do not allow users to start unlisted programs on initial. We can push it to the entire domain, an organizational unit (OU), or simply a security group. I prefer the security group deployment mechanism. This is done through GPO filtering, which is explained in this blog post. Applying it to an entire domain is not really a good idea, but a designated OU can make sense, depending on the granularity of the OU. The smallest Active Directory environments can deploy via OU, but larger environments should consider putting the computer account in a security group that has the GPO filtered to it. Additional options for how Remote Desktop will behave can be configured in this area of Group Policy. This includes the ability to disable indirect file transfer through drive redirection, designate licensing servers, or specify how many connections will be permitted on the server. Have you deployed Remote Desktop configuration centrally through Group Policy? What additional settings have you deployed? Share your comments below. Microsoft RDS Policies explained (Part 2)If you would like to read the other parts in this article series please go to: Introduction. In Part 1 of the article series MS RDS Policies we started with describing how RDS settings can be configured and that policies always win. We continued describing the policy locations both available within the machine and user configuration. We started with describing policy settings available in the computer configuration which should be applied to the RDS License Server and the RDS Client. In this part two we will discuss the settings available on the computer configuration level for the RD Session Host. Computer Configuration policy settings. Remote Desktop Session Host. For the RD Session (Remote Desktop Session Host) the policies are separated in several subfolders as shown in the below figure. Figure 1: Remote Desktop Session Host Policy Overview. Application Compatibility – Turn off Windows Installer RDS Compatibility. Figure 2: Remote Desktop Session Host – Application compatibility. With this setting you can change the Windows Installer behavior on a RD Session Host. By default RDS compatibility is enabled and makes it possible to run the Windows Installer functionality on a per user basis. When you enable this setting (which leads to disabling Windows Installer RDS compatibility) all requests are queued up for a single msisexec process. Personally, I did not find a reason to disable this functionality. Application Compatibility – Turn on Remote Desktop IP virtualization. Some applications require a unique IP address, which is by default logically not the case if the application is running on RD Session Host. To solve this issue, Remote Desktop IP Virtualization is introduced. With this setting you enable the IP virtualization feature. When enabling this setting you need to specify if the virtual IP is provided per session or per program. When using per program you need to define the executable to which an IP address should be configured. Desktop IP virtualization also needs the configuration of the next setting. Application Compatibility – Select the network adapter to be used for Remote Desktop IP Virtualization. When you need to use Remote Desktop IP virtualization configuring this setting is mandatory. You need to specify the IP address of the Network Interface Card which should be used for this feature. Besides the IP address you need also to specify the network mask using the slash notation, for example 1. Application Compatibility – Do not use Remote Desktop Session Host server IP address when virtual IP address is not available. When no virtual IP addresses are available (anymore) by default the session will use the RD Session Host IP address (just like you did not have RD IP Virtualization enabled). If you don’t want that, you should enable this setting, but remember that the session won’t have network connectivity at all. So be really careful when enabling this setting, it’s only for real specific use cases. Figure 3: Remote Desktop Session Host – Connections. Connections – Automatic Reconnection. With this setting you can control the Automatic Reconnection behavior. By default it’s already enabled. When configuring this setting on disabled, automatic reconnection is disabled. Normally you won’t have to configure this setting as by default automatic reconnection is enabled. Connections – Allow users to connect remotely by using Remote Desktop Services. Although it is an RD Session Host policy, I only use this one on non RD Session Host servers as users are allowed to connect using RDS when the RDS Session Host role is installed. However, this setting is really useful for a server where RDS is not installed, but would like to enable RDP access for the administrators. Enabling this policy makes the Remote Access configured on the Remote Tab of the system properties is checked. Connections – Deny logoff of an administrator logged in to the console. This setting only applies to XP and Windows 2. This setting prevents a log off from an administrator connected to the console when another administrator connects to the console via the RDP client. Connections - Configure Keep- alive connection interval. With this setting you configure how often the server checks the session state in minutes. If you don’t configure this setting the session state is not checked. When the interval is passed the server checks if the session listed as connected is actually still communicating with the server. Connections – Limit number of connections. By default an RD Session Host has no limit on the number of sessions that can be created on the RD Session Host. With this policy enabled you can define the maximum number of sessions that can be set- up on the RD Session Host. Connections - Suspend user sign- in to complete app registration. This is a new policy for the latest operating systems. By default as soon as the system is started RDS sessions can be set- up, while applications can be registered in the background. Some applications work only if the application registration is completely finished. Enabling this policy will lead to the fact that the server will wait for 6 minutes before RDS session can be set- up. It is also used in cases where the start menu needs to be customized. Another use case is to provide an automated small maintenance window for cleaning the server. Connections – Set rules for remote control of Remote Desktop Services. With this policy you can define whether remote control (also known as shadowing) is allowed and via which methodology (full control, view session and one of those two with or without user’s permission). As this policy is for Shadowing, it does not apply to Window Server 2. Remote Assistance is available. However, the policy does not list Windows Server 2. R2 as applicable, however MS re- introduced shadowing in this version (so, I expect this setting will work for R2 as well, but I did not test it). Connections – Select network detection on the server. With this policy you can change the way the RD Connection Host determines the network quality based on the initial connection (Connect Time Detect) and during the session (Continuous Network Detect). You can disable one of these two or both. Disabling Connect Time Detect will cause the session to always be connected based on a low- speed connection, while disabling Continuous Network Detect arranges that the session will not be adjusted if network quality changes during the session. This policy applies only to the latest versions of operating systems and in my opinion it should be adjusted only in specific use cases. Connections – Select RDP transport protocols. A similar setting was also available within the RD Client settings. However, this policy is based on the host instead of the client. Just as the client setting you can configure if you would like to use both UDP and TCP, only UDP or only TCP. Connections – Restrict Remote Desktop Services users to a single Remote Desktop Services session. With this policy you can restrict a user to have only one session on the server, otherwise the user can have multiple sessions. When a session is in a disconnected state the user will be automatically redirected to this disconnected session. This behavior can also be specific at the collection level within the RDS management console. Connections – Allow remote start of unlisted programs. By default a user can only start programs that are defined as Remote. Apps (when not publishing a Remote Desktop). In the specific case you would like to change that behavior (but why would you publish that program as a Remote. App in that case) you can enable the policy “Allow remote start of unlisted programs”. When this setting is enabled any program available on the RD Session Host can be started. Connections – Turn Off Fair Share CPU Scheduling. By default Microsoft has enabled Fair Share CPU Scheduling. With this policy setting you can turn off this feature. In my article Fair. Share of Resources in RD Session Host, I explained in detail about Fair Share of resource in a RD Session host, so check that article for more information. In this part three we will continue describing the RD Session Host settings. Figure 4: Remote Desktop Session Host – Device and Resource Redirection. Device and Resource Redirection – Allow Audio and Video playback redirection. Within the Device and Resource Redirection subfolder all settings are available to define if local devices are available within the Remote Desktop Session. The first setting is about allowing audio and video to be redirected to the client or will be played on the RD Session Host. Microsoft used different default behaviors between the different operating system levels. Windows 2. 00. 8R2 or lower audio and video redirection is not allowed by default, while Windows 2. If possible I would always redirect audio and video playback to the client. Device and Resource Redirection – Allow audio recording redirection With this setting you can specify if recording devices (like microphones) can be used within the Remote Desktop Session. Again the default behavior is different between the several versions of the operating system, so that determines if you need to configure this setting to satisfy your needs. To be sure you can always define this (and the other settings), so you know for sure the configuration of the RD Session Host is as you would like to have it set. Device and Resource Redirection – Limit audio playback quality. Configuring the audio playback quality can enhance performance on slow links. However, currently Microsoft is using Dynamic playback quality, where the audio quality will be dynamically adjusted based on the network bandwidth. So I prefer to use this setting, but if quality should always be High (independent of the network bandwidth) you can adjust the behavior with this setting. Also, good to know that choosing Disabled, the audio playback quality will be Dynamic (instead of none audio playback what some people expects).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2017
Categories |