How to launch a program automatically when logging into Remote Desktop server 2019

[WINDOWS SERVER 2019] Start a program with the remote desktop

Goodmorning everyone,
I installed Windows Server 2019 on a server, before this the last server I had installed was with Windows Server 2008. My problem is to start a program automatically in a Remote Desktop session so that the user can only use that program and do not access the rest of the computer, when the program is closed, the Remote Desktop session must also be closed. I tried to do as it was up to at least Windows Server 2008 that is to set the startup program from the "Environment" section of the user which worked fine. Now in Windows Server 2019 I have seen that there is the possibility to set a program in the environment, but in fact it does not work or the program does not start and the user can access everything.
Is there anyone who can help me understand what is the best practice to solve my problem?
Thank you all.

remote-desktop-servicesremote-desktop-client

Comment

Comment Show 0

Comment

5 |1600 characters needed characters left characters exceeded

▼

• Visible to all users
• Visible to the original poster & Microsoft
• Viewable by moderators
• Viewable by moderators and the original poster
• Advanced visibility

Toggle Comment visibility. Current Visibility: Visible to all users

Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JennyYan-MSFT answered • Nov 17, '20 | reteinformatica commented • Nov 19, '20

Hi,
1.RDS provides function of publishing the program as a RemoteApp for users to utilize application directly without logging into the remote session of server.
Create a Remote Desktop Services collection for desktops and apps to run
//docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-create-collection#publish-remoteapp-programs

2.Per my knowledge, RD Session Host Role Service is required to use the start a program on connection feature. Did you installed RDSH role for the server?

3.The most widely used method to disable Remote Desktop Access but allow RemoteAPPs is the one shared in below thread:

User Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > Start a program on connection
Put c:\windows\system32\logoff.exe in the Program path.
Add this to user GPOs but not sysadmin GPOs.

//social.technet.microsoft.com/Forums/lync/en-US/5d17f131-c6d1-49dd-b0b7-83c03c3fedbb/how-to-disable-remote-desktop-access-but-allow-remoteapps-to-run?forum=winserverTS

Hope this helps and please help to accept as Answer if the response is useful.

Thanks,
Jenny

Comment

Comment · Show 2

Comment

5 |1600 characters needed characters left characters exceeded

▼

• Visible to all users
• Visible to the original poster & Microsoft
• Viewable by moderators
• Viewable by moderators and the original poster
• Advanced visibility

Toggle Comment visibility. Current Visibility: Visible to all users

Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JennyYan-MSFT · Nov 18, 2020 at 01:31 AM

Hi,
May i know if above info helpful?

Please feel free to let us know if any more questions and please help to mark useful response as Answer to end the thread.

Best Regards,
Jenny

0 Votes 0 ·

reteinformatica JennyYan-MSFT · Nov 19, 2020 at 08:15 PM

Hello, Jenny,
for reasons of time I have not yet been able to try, as soon as I do I will let you know, thanks for your availability.

0 Votes 0 ·

reteinformatica answered • Nov 19, '20 | JennyYan-MSFT commented • Nov 20, '20

Hello, yes I installed Remote Desktop Host services.
I tried but I get some errors and i was in doubt: should the RDP host be a domain controller or belong to a domain?

Comment

Comment · Show 1

Comment

5 |1600 characters needed characters left characters exceeded

▼

• Visible to all users
• Visible to the original poster & Microsoft
• Viewable by moderators
• Viewable by moderators and the original poster
• Advanced visibility

Toggle Comment visibility. Current Visibility: Visible to all users

Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JennyYan-MSFT · Nov 20, 2020 at 07:48 AM

Hi,
In general, it is not recommended to install RDSH on an Active Directory domain controller since allowing users to run programs on a domain controller could create security risks and performance issues.

Moreover RDS environment could be configured in domain or in workgroup with relevant type of RDS CAL.

Thanks,
Jenny

0 Votes 0 ·

reteinformatica answered • Nov 20, '20 | reteinformatica edited • Nov 20, '20

Hi Jenny,
very well, because I need the server not to be a domain controller and will not belong to a domain. Then there's something that escapes me because I've read the documents of the links you sent me but trying to get errors. Obviously there's something I didn't understand.
I tried this from Power Shell, I hope I translated well because it is in Italian:

PS C:\Users\Administrator> New-RDSessionCollection -PersonalUnmanaged Cmdlet New-RDSessionCollection in position 1 of the command pipeline Specify values ​​for the following parameters: CollectionName: test SessionHost[0]: 0 SessionHost[1]: NOTICE: The specified fully qualified domain name [FQDN], 0, is not valid. New-RDSessionCollection : Unable to create session set. In line:1 car:1 + New-RDSessionCollection -PersonalUnmanaged + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: [:] [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,New-RDSessionCollection

I think I don't know and understand what goes into "SessionHost". I tried to put server hostname [Server2019] but I receive another error:

Cmdlet New-RDSessionCollection in position 1 of the command pipeline Specify values ​​for the following parameters: CollectionName: test SessionHost[0]: server2019.workgroup SessionHost[1]: New-RDSessionCollection : There is no Remote Desktop Services deployment on Server2019. This operation it can only be run after you have created a distribution. For information on creating a distribution, execute the command "Get-Help New-RDVirtualDesktopDeployment" o "Get-Help New-RDSessionDeployment". In line:1 car:1 + New-RDSessionCollection -PersonalUnmanaged + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: [:] [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,New-RDSessionCollection

Then I tried how it is written, others errors:

PS C:\Users\Administrator> New-RDVirtualDesktopDeployment Cmdlet New-RDVirtualDesktopDeployment in position 1 of the command pipeline Specify values ​​for the following parameters: ConnectionBroker: Server2019 VirtualizationHost[0]: server2019.workgroup VirtualizationHost[1]: New-RDVirtualDesktopDeployment : Failed to validate "RD Connection Broker" parameter. Server2019 No valid fully qualified domain name [FQDN] specified for the server. In riga:1 car:1 + New-RDVirtualDesktopDeployment + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: [:] [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,New-RDVirtualDesktopDeployment PS C:\Users\Administrator> New-RDVirtualDesktopDeployment Cmdlet New-RDVirtualDesktopDeployment in position 1 of the command pipeline Specify values ​​for the following parameters:ConnectionBroker: Server2019 VirtualizationHost[0]: server2019 VirtualizationHost[1]: New-RDVirtualDesktopDeployment : Failed to validate "RD Connection Broker" parameter. Server2019 No valid fully qualified domain name [FQDN] specified for the server. In line:1 car:1 + New-RDVirtualDesktopDeployment + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: [:] [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,New-RDVirtualDesktopDeployment

Comment

Comment Show 0

Comment

5 |1600 characters needed characters left characters exceeded

▼

• Visible to all users
• Visible to the original poster & Microsoft
• Viewable by moderators
• Viewable by moderators and the original poster
• Advanced visibility

Toggle Comment visibility. Current Visibility: Visible to all users

Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JennyYan-MSFT answered • Nov 23, '20

Hi,
It seems you are trying to create RDS collection and publish remote applications via RD web.

But if you are new to remote desktop service, it is suggested to deploy RDS via GUI with following screenshots and get better understanding for each roles related to RDS.
//nedimmehic.org/2017/01/21/deploying-remote-desktop-services-2016-step-by-step/

For the information you posted, it seemed that you did not specify the FQDN of collection or server of RDCB and RDSH. Moreover, command"New-RDVirtualDesktopDeployment" is used to install the role services of VDI instead of RD session host.
//docs.microsoft.com/en-us/powershell/module/remotedesktop/new-rdvirtualdesktopdeployment?view=win10-ps

Last but not least, here are step by step guidance on how to deploy RDS with powershell command:
1.Step by Step instructions for installing RDS Session Deployment using PowerShell in Windows Server 2012 R2
//techcommunity.microsoft.com/t5/ask-the-performance-team/step-by-step-instructions-for-installing-rds-session-deployment/ba-p/375569
2.Deploy Windows 2016 RDS with PowerShell
//www.aventistech.com/Deploy-Windows-2016-RDS-with-PowerShell
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

Hope this helps and please help to accept as Answer if the response is useful.

Thanks,
Jenny

Comment

Comment Show 0

Comment

5 |1600 characters needed characters left characters exceeded

▼

• Visible to all users
• Visible to the original poster & Microsoft
• Viewable by moderators
• Viewable by moderators and the original poster
• Advanced visibility

Toggle Comment visibility. Current Visibility: Visible to all users

Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Specify a Program to Start Automatically When a User Logs On Does Not Work in 2016 Server

Archived Forums

>

Remote Desktop Services [Terminal Services]

• Question

• 0

  Sign in to vote

  By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless a program has been specified to start when the user logs on to the remote session. If an initial starting program has been specified, it will be the only program that the user can use in the Remote Desktop Services session. TheStartmenu and the Windows Desktop are not displayed when the user logs on to the remote session, and when the user exits the program the session is automatically logged off.This feature does not work2016 serverit ignores whatever we specify and always starts a Desktop Session. We are running a work group so group policy is not an option as a workaround.In the 2012 server, 2008 Server it works.Kindly please advise how to get this basic feature to run in Server 2016.

  Thursday, December 22, 2016 10:26 PM

• 0

  Sign in to vote

  Hi, Thank you very much. It now works as expected. Regards

  • Marked as answer by VIrtual Name Friday, August 25, 2017 1:51 PM

  Monday, February 27, 2017 7:45 PM

• 0

  Sign in to vote

  Thanks for your reply Jay. Will this setting take away the Desktop Session from the named user and will it actually work per named user or will it be applied to all users logging in? For example will it take away my Administrator Desktop Session? If so would we be able to get back to into our Desktop Session for Administrator. We need to be able to set a different program to start for each named user which is what the environment tab in 2012 and 2008 servers does flawlessly. Kindly let me know. Very much appreciateyou taking the time.

  Friday, December 23, 2016 12:59 PM

• 0

  Sign in to vote

  Hi, Thank you very much. It now works as expected. Regards

  • Marked as answer by VIrtual Name Friday, August 25, 2017 1:51 PM

  Monday, February 27, 2017 7:45 PM

• 0

  Sign in to vote

  Hi,

  I have exactly the same issue, I have a standalone Windows 2016 Server and I want when a user connects to the server via RDP [there is only one basically] to start a specific program and not have access to the whole desktop. I have included the above recommendation in the registry but it doesn't work for me!

  Am I missing something here?

  Thank you,

  Theodore

  Friday, August 25, 2017 1:12 PM

• 0

  Sign in to vote

  Thank very much work perfect like i want

  regards

  Wednesday, May 8, 2019 11:05 AM

• 0

  Sign in to vote

  Hi I am looking for a solution for my environment as below;

  Windows Server 2016 in a work group and no domain controller

  I want to launch an application on the server when the user login [using RDS] without any access to the server.

  Earlier in windows 2008 R2 I was able to create an RDP file and share with the user to launch the application. Now I do not have the option for the server in work group.

  Wednesday, June 26, 2019 9:30 AM

• 0

  Sign in to vote

  Hi!

  Use Local Group Policy [or you can use Domain Group Policy if server is domain member].

  cmd - gpedit.msc:
  

  User Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Remote Desktop Session Host - Remote Session Environment - Start a Program

  Tuesday, July 30, 2019 8:39 AM

• 0

  Sign in to vote

  Hi!

  Use Local Group Policy [or you can use Domain Group Policy if server is domain member].

  cmd - gpedit.msc:
  

  User Configuration - Administrative Templates - Windows Components - Remote Desktop Services - Remote Desktop Session Host - Remote Session Environment - Start a Program

  this works but now even Admin is forced to use this program. How can i get back to the original desktop for Administrator only to make changes?
  

  Tuesday, April 7, 2020 11:05 PM

15 Replies

· · ·

Pure Capsaicin

OP

Neally

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

Sep 8, 2017 at 00:01 UTC

Not sure if you can do that, you are looking for some kind of 'kiosk' mode?

Have you looked into RDweb? So you can just give them access to the aplication, which would basically bypass all that lock down stuff?

1

· · ·

Datil

OP

britv8 Sep 8, 2017 at 00:38 UTC

Published applications would be what you would use. What OS are we talking about?2012 and higher?

1

· · ·

Datil

OP

gb5102 Sep 8, 2017 at 01:31 UTC

First thing that comes to mind is the setting in the RD client itself:

0

· · ·

Datil

OP

gb5102 Sep 8, 2017 at 01:41 UTC

This can also be done via GPO[it is also under User Configuration]:

Text

Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment - "Start a program on connection"

or Registry[it is also under HKCU]:

Text

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services - Values: InitialProgram, WorkDirectory

0

· · ·

Jalapeno

OP

ziceman Sep 8, 2017 at 03:34 UTC

In this case, the device accessing the terminal server is a thin client. So I need to create the configuration on the back and, right?

0

· · ·

Jalapeno

OP

ziceman Sep 8, 2017 at 03:34 UTC

in this case, the machine accessing the terminal server is a thin device, so I have to create the config on the backend, right?

0

· · ·

Jalapeno

OP

ziceman Sep 8, 2017 at 03:36 UTC

sorry for double reply. doing this from my phone. not trying to be annoying...

1

· · ·

Mace

OP

adrian_ych

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

Sep 8, 2017 at 06:15 UTC

Active Directory & GPO expert

40 Best Answers

227 Helpful Votes

Are you trying TS application publishing ? So that users only can use applications on the Terminal server ? Else users can still close the application and run other stuff on the terminal server...

//technet.microsoft.com/en-us/library/cc730673[v=ws.10].aspx

0

· · ·

Pure Capsaicin

OP

dbeato

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

Sep 8, 2017 at 11:30 UTC

Do they have a program in the startup folder for the users that is working ?

0

· · ·

Jalapeno

OP

ziceman Sep 8, 2017 at 15:15 UTC

OK. I believe I have found the way this has been set up in the past, but it is not working when a new user configuration is created.

In Remote Desktop Session Host Configuration in the Connection properties, we have this:

.... deferring to the user profile or client.

In the existing AD user configuration we have settings in RD Services Profile tab that maps drives, and settings in the Environment tab that specifies a startup program.

The current users are pointed at the correct vertical application path, and it appears to work just fine. I tried to duplicate this setup, but the program does not launch. Subsequently, I just stuck in the settings for Notepad. Still nothing. Is there something else that needs to be set / enabled on this?

0

· · ·

Jalapeno

OP

ziceman Sep 8, 2017 at 15:20 UTC

The Start In field is actually set to: C:\users\gmt

Also, I can get this to work by sticking the a shortcut to the app in the Startup folder for now, but this is ugly kludge. Just want to get the standard setup to function.

0

· · ·

Jalapeno

OP

ziceman Sep 9, 2017 at 16:08 UTC

Just bumping this one. Still looking for an answer as to the Start Program at Logon is broken. Any more ideas?

0

· · ·

Jalapeno

OP

ziceman Sep 11, 2017 at 14:09 UTC

bump, bump... ?

0

· · ·

Pure Capsaicin

OP

dbeato

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

Sep 12, 2017 at 00:25 UTC

I would check the permissions to the folders and check the that they can access the roaming profile.

0

· · ·

Jalapeno

OP

Best Answer

ziceman Sep 12, 2017 at 18:35 UTC

OK. This has been solved.

It turned out to be a GPO setting, which is very strange. This is because no one had been in there for months, so nothing should have been different. My next concern is making sure that server has not been compromised in some way. I wanted to check to see the last time the GPO was edited, but that date was updated the moment we went into it. Is there an audit trail for this?

Anyway, gb5102 was close to the right track.

The setting was actually Users\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment - "always show desktop on connection".

Having this enabled completely blew away any directive to start up an application. No idea how it got set, and my concern is that this might signal malicious behavior. Needless to say, I have instituted a complete malware detection and remediation protocol on the server and also ratcheting up scans on all the other machines.

One more thing I wanted to mention. Since this was a somewhat critical problem, I needed to get the situation resolved no later than end-of-day Monday. I decided to try the "LIVE" support feature of EE to see if I could get another set of eyeballs to look things over with me in real-time. I was happy to pay few $ to see if readily available assistance could save the day..., and it did.

Does Spiceworks offer a similar service? If not, is it being considered?

0

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question.