On our Windows NT network, we have two Windows NT 4.0, Terminal Server Edition servers with MetaFrame that we have set up as member servers. We want to use Application Security (APPSEC) to limit the applications that users can run. When we run APPSEC, the TSE servers don't appear to run the NT logon scripts. Is there any way to make the logon script run with APPSEC activated?
Because your servers are member servers, they look for your logon script on the authenticating server (the PDC or the BDC). APPSEC prevents all applications that don't appear on the permitted list from running. Because APPSEC's permitted list can't run applications on a network share, there's no way to permit the logon scripts. You need to create a special script on each TSE server that runs just for TSE users. The script can then appear on the permitted list.
To make a special logon script that runs only when you log on to a TSE server, create your logon script (e.g., tslo.cmd) in the \%systemroot%\system32 folder. (The script must reside in the System32 directory.) Next, open a Registry editor and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Expand Appsetup, and type ",TSLO.CMD" after the last entry (don't forget the comma—you must separate each entry with a comma). For example, if the value of Appsetup was
it should now be
Next, set up APPSEC.
- Run APPSEC by clicking Start, Programs, Administrative Tools (Common), Application Security.
- Click Add.
- Go to M:\wtsrv\system32\tslo.cmd (where M: is your boot drive).
- Make sure M:\wtsrv\system32\tslo.cmd is added to the APPSEC list.
- Click Enable.
- Test APPSEC by logging on as a user (APPSEC doesn't affect Administrator accounts).
Now, when a user logs on to the TSE server, tslo.cmd will run. If you want to get fancy, you can configure tslo.cmd to call commands or other .cmd files specific for each user or group, but don't forget to add each application to APPSEC.