Here is how I solved the problem:
1) Setup AD group to control access to "Log on Locally" security policy ("Users" group is normally removed from this permission on our standard server build), "Remote Desktop Users" local group, and RemoteApp authorized users.
Then I will use this same group to lock out "explorer" via AppLocker.
2) Set the "Application Identity" service to automatic and started it
3) Run GPEDIT.msc to setup AppLocker (Computer Configuration\Windows Settings\Security Settings\Application Control Policies)
4) Click the Applocker icon, and then in the right, click the "Configure rule enforcement" link and check the box next to "Configured" for "Executable Rules"
5) Create a new rule to DENY access to %WINDIR%\explorer.exe" for the group I created in step 1
6) Allowed it to create the DEFAULT rules
7) Rebooted! I found I was locked out of EVERYTHING, even as an admin until I rebooted. Pretty scary.
8) Test user added to AD group. Setup RemoteApp (AD group has permissions to this). Works!
9) Test user tries to login to the desktop sessions - Fails (works!). User is not allowed to login and the RDP session closes. Message they get is this:
"You are connected to the remote computer. However, an error occured while an initial user program was starting, so you are being logged off...."
This is nice because it gives the user some sort of feedback.
Wednesday, March 06, 2013 9:34 PM
Proposed as answer by
Friday, July 26, 2013 5:31 PM