How to Allow RemoteApp While Disallow Remote Desktop Connection

As subject this could be very classic vulnerability in production environment especially if you implemented Terminal Services (TS) technology. You want all terminal users can connect RemoteApp through terminal services but either way want to disable (RDC) Remote Desktop Connection. With RDC a user can connect by remote logon and interactively use all application on your production server inclusive see all data inside. That’s terrible matter, please believe me. For whatever reason you should find a way to address this problem, but how? eventhough by default RemoteApp use port 3389 as well as RDP.

If you think change the RDC port will address this problem thats won’t be a solution because as i mentioned before they use same port. So, how to solve this?

Here are several answer, please choose which one is meet your requirement.

First and the easiest way to solve this problem you just go to Terminal Service Configuration on Server Managaer, double clicks or right click and choose properties. On environment tab select Start the following program when the user logs on’, this makes every users connect through via RDC will start the specified program you choose. Fill program path an files with the next command ‘c:\windows\system32\logoff.exe’ then click OK.


Try connect your TS server via RDC then you should shortly logoff after try logging in.

But these method above has shortfall, viz. all TS users even administrator now won’t ever could remote that server through RDC. Yeah, that ridiculous in fact you are success blocked all TS users but also implied to yourself.

Second way and need extra step is create group policy using Group Policy Editor / Management (GPO/M). Open your GPM via Server Manager then select Group Policy Object. Create new group policy, e.g ‘DisableRDPAllow RemoteApp’– this name is arbitrary. Right click the new GPO and select edit to add policy. Please see policy configuration below in order to address the requirement.



After successfully created the policy now you should put that policy to the OU you want. I already have OU called TS user which is consist all users permit to connect to TS Server. So that make your own group with your own name, again this is arbitrary. On the security filtering tab, you should see Authenticated User, thats mean all of users will use these new policy. For now we just need to apply the policy into TS User only, then you should remove existing user replaced with TS User.




After all please run group policy update to distribute this new policy to your all users. Then finally you can verify the result by connecting TS Server via RDC (of course with member of TS User group).


DisallowRDPAllowRemoteApp_PrepAnd shortly sign out..


That’s it. Happy trying!

Leave a Reply

Your email address will not be published. Required fields are marked *