1

I have an AWS Lightsail server running Windows Server 2016. I want Administrators to be able to log in via Windows Remote Desktop Client and access the desktop and all applications. However, I want to setup one or more users or groups who can connect to the server using a Remote Desktop Client (not Web), and upon login, automatically launch a single application. Furthermore, when they close that application they are signed out of the server. In addition, while they are in the application they have no access to the desktop or any other applications.

I have been assured that this configuration is possible, but so far I have failed to find any combination of configurations that permit me to achieve this goal. So, I have two questions. First, is it true that I can configure my Lightsail server to achieve this result? And, if so, how do I do it?

Cary Jensen
  • 151
  • 7

1 Answers1

0

I had to ask an IT administrator, so I need to admit that I needed help in solving my problem. Nonetheless, I want to answer this question for the benefit of other developers out there who want to do something similar. I performed these steps on an Amazon Lightsail server, but I imagine that this will work on any Windows Server 2016 instance.

  1. Log onto the server as Administrator and run Server Manager.

  2. From the Dashboard, select Add roles and features.

  3. Add Active Directory Domain Services. Following the prompts.

  4. Once Active Directory Domain Servers has been install, you will get a notification that it needs to be configured. Configure it.

  5. From the Dashboard, again select Add role and features. This time select Remote Desktop Service installation. Following the prompts.

  6. From the Server Manager, select Tools -> Active Directory Domain Users and Computer from the main menu.

  7. Add a new Organizational Unit (OU) to the domain server. Next, add your users who will be limited to the one application to the new OU.

  8. From the Server Manager, select Tools -> Group Policy Manager from the main menu. Expand the your server's domain and select the new OU. Right-click the OU and select Create a GPO in this domain, and link it here... Next, expand the OU and select the new group policy and select Edit. Go to User Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Remote Desktop Session Environment. Enable and configure Start program on connection. Disable Always show desktop on connection.

  9. From the Control Panel, open the System applet. Select Remote Settings. Click Users. click Add. Click Advanced. Select the users added to the new OU and permit them to use Remote Desktop.

Cary Jensen
  • 151
  • 7
  • 1
    No offense intended, but... do you at least understand what you are doing? Saying "add ADDS and configure it" seems quite like you are not really aware of what that means in terms of security and management. – Massimo Sep 28 '20 at 18:40
  • 1
    No offense taken. Since I could find no description of how to do this, and no one answered my question for months, I wanted to at least provide a high level description of the steps without getting into the fine details. I am not a server administrator and, as you point out, I don't know what I am doing. I am a developer building a prototype, and when we get the software running we have a consulting group that includes server administrators who we trust and who will address issues such as security and the like long before we go into production. – Cary Jensen Sep 29 '20 at 21:03