SamR Posted April 8, 2010 Posted April 8, 2010 In my facility, certain users are allowed access to only one application when they log into a PC. Our regulations state that when the user logs in the app must launch immediately, and when the app is closed, Windows must automatically log out the user. I know that I could simply put the app in the Start Up menu for it to launch automatically, but is there any way Active Directory can force a user to log out if they close the app? I understand what our regulators are trying to accomplish, which is to prevent casual users from accessing resources for which they lack authorization. However, what is to prevent the user from simply minimizing the app or pressing Alt+F4?
cluberti Posted April 8, 2010 Posted April 8, 2010 In my facility, certain users are allowed access to only one application when they log into a PC. Our regulations state that when the user logs in the app must launch immediately, and when the app is closed, Windows must automatically log out the user. I know that I could simply put the app in the Start Up menu for it to launch automatically, but is there any way Active Directory can force a user to log out if they close the app? It sounds more like the powers that be want functionality and behavior that come with using Windows Terminal Services and RemoteApp (or Citrix App Publishing), where the app is the shell - closing the app logs out the user. However, to keep people from running things other than the app (if that is indeed the goal), you'll probably have to use software restriction policies to keep other .exe files from launching for these users. It's not as difficult as it sounds, but it certainly isn't easy either as you must be VERY careful what you restrict and how.
SamR Posted April 8, 2010 Author Posted April 8, 2010 Thanks, cluberti. I agree. I think the Regulators are good at designing policy but maybe not so good at understanding how a network functions.I suspected that locking down .exe files was the route I would have to take, but I expected it would involve a lot of trial and error to get it right. I've run into problems before by restricting what you can launch, such as you begin seeing unexpected side effects, like right-click becomes disabled or similar.
MrJinje Posted April 8, 2010 Posted April 8, 2010 (edited) much easier to just whitelist the one they are allowed to use, instead of trying to restrict all the apps they are not allowed.See post # 11 for details on the group policy setting "Run only Specified Windows applications"As for logging off with Active Directory, I can't recall any built-in method. but a looping vbs script could be fashioned to wait for the app to close, then perform the logoff. Technically if you push the VBS using the logon scripts GPO, one might be able to argue it is an Active Directory method. I'd probably use WMI WIN32_PROCESS.NAME if I decided to go that route. Edited April 8, 2010 by MrJinje
allen2 Posted April 8, 2010 Posted April 8, 2010 (edited) For the autologoff thing, i'll use a batch startup script like this one:start "application" /wait "fullpathtoapp\appname.exe"shutdown /lThe dos windows could be hidden with third party tools.For application restriction, i'll use the whitelist as MrJinje said. Edited April 8, 2010 by allen2
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now