Bison Infosolutions Knowledgebase
Google Workspace - Professional Emails
Protect your Lenovo Server
Contact WhatsApp

Locking Down Windows Server 2019 Cloud Users to a Single Application Using TSPlus (Complete Technical Guide)

πŸ“… 09 Apr 2026 πŸ“‚ General πŸ‘ 0 views

In cloud-hosted environments based on Windows Server 2019, administrators often need to restrict users to a single application. This is especially important in scenarios such as billing systems, ERP access, accounting software, or dedicated operational tools where unrestricted desktop access may lead to security risks, accidental misconfigurations, or data leakage.

This article provides a complete, step-by-step technical guide to configuring a locked-down user environment using TSPlus, along with native Windows methods as alternatives.

Why Restrict Users to a Single Application?

Restricting user access offers several benefits:

  • ? Enhanced security (no unauthorized access)
  • ? Simplified user experience
  • ? Reduced support and troubleshooting
  • ? Prevention of system misuse
  • ? Lower risk of malware or accidental damage

Architecture Overview

Typical setup includes:

  • Cloud Windows Server 2019 instance
  • Remote users connecting via RDP or web portal
  • TSPlus installed for application publishing
  • Restricted user accounts

Method 1: Using TSPlus Application Publishing (Recommended)

TSPlus provides a built-in feature called Application Publishing, which allows administrators to assign specific applications to users.

Step 1: Open TSPlus Admin Tool

  • Open Start Menu
  • Search for: TSplus AdminTool

  • Or open via browser:

    http://localhost:14147

Step 2: Add Application

Navigate to:

Application Publishing β†’ Applications
  • Click Add Application

  • Browse to your software executable
    Example:

    C:\Program Files\YourApp\yourapp.exe
  • Save the application

Step 3: Assign Application to User

Go to:

Application Publishing β†’ Assigned Applications
  • Select the user
  • Assign only the required application
  • Remove access to:
    • Desktop
    • Explorer
    • Other apps

Step 4: Enable Restricted Mode

Ensure:

  • βœ” Only assigned applications are visible
  • βœ” Desktop access is disabled

Result

When the user logs in:

  • The assigned software launches automatically
  • No desktop or file explorer is accessible
  • User is fully restricted to that application

Method 2: Using Windows Group Policy (Alternative)

If TSPlus is not used, Windows Group Policy can enforce a custom shell.

Steps

  1. Open:

    gpedit.msc

  2. Navigate to:

    User Configuration β†’ Administrative Templates β†’ System

  3. Enable:

    Custom User Interface

  4. Set value:

    C:\Path\To\YourSoftware.exe

Effect

  • Explorer (desktop) is replaced
  • Only the specified application runs at login

Method 3: Registry Shell Replacement (Advanced & Risky)

⚠️ Use only if you understand system recovery.

  1. Open Registry Editor:

    regedit

  2. Navigate to:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

  3. Modify:

    Shell = yourapp.exe

Risks

  • Affects all users (including admin)
  • May lock you out if misconfigured
  • Requires safe fallback access

Additional Security Hardening

To fully secure the environment:

Disable System Access

Via Group Policy:

  • ❌ Task Manager
  • ❌ Command Prompt
  • ❌ Control Panel
  • ❌ Run dialog

Restrict Drives

  • Hide local drives
  • Prevent file browsing

Session Control

  • Limit session time
  • Auto logoff inactive users

Best Practices

  • βœ… Always test with a dummy user
  • βœ… Keep admin access unrestricted
  • βœ… Use TSPlus instead of registry hacks
  • βœ… Backup system before changes
  • βœ… Document configuration

Common Issues & Fixes

IssueCauseSolution
App not launchingWrong pathVerify executable path
Blank screen after loginShell misconfiguredRestore explorer.exe
User sees desktopDesktop not disabled in TSPlusAdjust publishing settings
Admin locked outGlobal shell changeUse safe mode or registry fix

Conclusion

For cloud-based Windows Server environments, restricting users to a single application is both a security necessity and an operational improvement. While native Windows methods exist, TSPlus provides a far more reliable, flexible, and user-friendly approach.

Using application publishing ensures controlled access, simplified user sessions, and a professional remote experience without compromising system integrity.



#windowsserver #tsplus #rdp #cloudserver #serversecurity #applicationpublishing #remotedesktop #kioskmode #itadmin #windowsadmin #systemsecurity #cloudcomputing #userrestriction #servermanagement #remoteaccess #networksecurity #enterpriseit #windowsconfiguration #tsplustool #admincontrol #desktoplockdown #securelogin #applicationcontrol #serverguide #rdpsecurity #windowsserver2019 #cloudsecurity #itmanagement #systemhardening #remoteapp #serveradmin #usercontrol #policyconfiguration #windowssecurity #tsplusadmin #applicationmode #serverlockdown #restricteduser #cloudsetup #itsecurity #adminpanel #remotesession #windowssetup #servertools #networkadmin #accesscontrol #secureenvironment #itguide #tsplustutorial

windows server 2019 tsplus configuration application publishing remote desktop restriction single application access kiosk mode windows server tsplus admin tool cloud server security rdp user restriction windows server lockdown remote applicatio
Was this article helpful?
Sponsored
Web Hosting Affiliate Ad
Insurance Affiliate Ad
Hostinger Hosting Ad