Monday 6 October 2014

Windows Server 2012 RemoteApp post installation tweaks

What:

Remote App server on Windows 2012 R2

Problem:

Tips & Tricks

Solution:

Set a "Start in:" option for a published app
==================================

- Option 1 -

1. Create a ".bat" file in an application's directory i.e. app-start.bat
2. Populate that file with the following content:
@echo off
start "my-app" /d "\\server\app_dir" "my-app.exe"
exit
3. Publish app-start.bat instead of the actual application.
4. Now it would be a good idea to change the icon, see below.

- Option 2 -

1.  Create a shortcut in an application's directory i.e. my-app.lnk and set "Start in:" option.
2. Open up PowerShell and use the following command to publish your app:
New-RDRemoteApp -DisplayName "App" -Alias "myapp" -FilePath "C:\Program Files (x86)\Your Application\my-app.lnk" -iconPath "C:\Program Files (x86)\Your Application\app.exe" -CollectionName QuickSessionCollection

Change published application icon
==================================
1. Check published application settings
2. Open up PowerShell and use following command to set a new icon:
Set-RDRemoteApp -DisplayName "App" -Alias "myapp" -FilePath "C:\Program Files (x86)\Your Application\app-start.bat" -iconPath "C:\Program Files (x86)\Your Application\app.exe" -CollectionName QuickSessionCollection

Disable Server Manager autostart for users
==================================
1. Open up "Task Scheduler" and navigate to:
Task Scheduler Library > Microsoft > Windows > Server Manager
2. Double click on the ServerManager in the middle pane and change Triggers to only kick in for specific user i.e. administrator

To disable Server Manager autostart completely you can start Server Manager, click on Manage > Server Manager Properties and untick "Do not start server Manager automatically at logon" in


Set up loopback group policy for all users except administrators, loopback processing of GP explained
==================================
1. From "Group Policy Management" create a new policy.
2. Navigate to "Computer Configuration > Administrative Templates > Group Policy"
Find "User Group Policy loopback processing mode" and set it to Enabled - Merge
3. Click on your policy in "Group Policy Objects", select "Delegation" tab, "Advanced" and for "Domain Admins" select "Apply group policy" to Deny


Remove pinned applications from taskbar (powershell, system manager)
==================================
1. From "Group Policy Management" create a new policy or edit existing one
2. Navigate to "User Configuration > Administrative Templates > Start Menu and Taskbar
3.Double click on "Remove pinned programs list from the Taskbar" and set it to Enabled


Restrict access to Administrative tools
==================================
1. From "Group Policy Management" create a new policy or edit existing one
2. Navigate to "Computer Configuration > Policies > Widows Setings > Security Settings
3. Right click on "File system" and choose "Add File..."
4. In the "Folder:" text box paste "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools" and click OK
5. You should now see new pop up called "Database Security for...", remove Users from the list and make sure Administrators have "Full Control"
6. On the "Add Object" window select "Propagate inheritable permissions to all subfolders and files", click OK
You can do the same for "Server Manager" %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk


Enable Windows Explorer thumbnail previews
==================================
1. Start "Server Manager"
2. Click Manage > Add Roles and Features, Next it to the Features section

3. Expand "User Interfaces and Infrastructure"
4. Enable "Desktop Experience", this will install many additional features [read more]


Disable Cached Mode in Outlook 2010
==================================
1. Download administrative template from here
2. Double click on the AdminTemplates_[32/64].exe to extract the content
3. From "Group Policy Management" create a new policy or edit existing one
4. Navigate to "User Configuration > Administrative Templates", right click on it and select "Add/Remove Templates..."
5. Click Add, navigate to extracted templates ADM > en-us folder and select outlk14.adm
6. Go to "User Configuration > Policies > Administrative Templates > Classic Administrative Templates > Microsoft Outlook 2010 > Account Settings > Exchange > Cached Exchange Mode"
7. Double click on "Use Cached Exchange Mode for new and existing Outlook profiles" select DISABLED and save.


Hide "Network" icon in explorer
==================================
1. Create adm file with the following content:
CLASS User
CATEGORY !!Custom
CATEGORY !!ExplorerExtras
POLICY !!HideNetworkInExplorer
KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum"
EXPLAIN !!HideNetworkInExplorer_Help
VALUENAME "{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY
END CATEGORY
[strings]
Custom="Custom Policies"
ExplorerExtras="Windows Explorer Extra's"
HideNetworkInExplorer="Hide the Network Icon in Explorer 2008/Vista/Windows 7"
HideNetworkInExplorer_Help="Enable this to hide the netowrk icon, disable or unconfigure to show the network icon."
2. From "Group Policy Management" create a new policy or edit existing one
3. Navigate to "User Configuration > Administrative Templates", right click on it and select "Add/Remove Templates..."
4. Click Add, navigate to your ADM file and add it
5. Go to "User Configuration > Policies > Administrative Templates > Custom Policies > Windows Explorer Extra's > Hide the Network Icon in Explorer"
6. Enable policy

Source


Set default keyboard layout (English UK)
==================================
1. Copy and paste below to keyboard.adm file
CLASS USER
CATEGORY "Custom Settings"
CATEGORY "Keyboard Layout"
POLICY "Set UK Keyboard Layout"
KEYNAME "Keyboard Layout\Preload"
VALUENAME 1
VALUEON 00000809
VALUEOFF ""
END POLICY ;Set UK Keyboard Layout
END CATEGORY ;Keyboard Layout
END CATEGORY ;Custom Settings
2. From "Group Policy Management" create a new policy or edit existing one
3. Navigate to "User Configuration > Administrative Templates", right click on it and select "Add/Remove Templates..."
4. Click Add, select keyboard.adm file
5. Enable policy


To apply policies remember to run
gpupdate
on your Remote Desktop Servers, this will apply new or updated policies only.

3 comments:

  1. hiding the network icon doesn't keep users from being able to go to the location / address bar in explorer and typing in Network and then hitting enter to be able to see the computers on the network. Take a look at my blog post here http://doctorevil30564.blogspot.com/2015/02/remove-users-ability-to-browse-network.html to find a custom ADM file that when activated removes users ability to browse the network. it doesn't block unc paths to network locations if you know the path and need to browse to a network share on another computer, just blocks ability to browse the network.

    ReplyDelete
  2. Thanks for the comment and useful link Doctor Evil.

    ReplyDelete
  3. Hey, Thanks for letting me know about that link being dead. I've shared the ADM file again using my dropbox account. It should be ok since it's a small file and shouldn't exceed my monthly bandwidth for Dropbox.

    ReplyDelete