Allow users to only use one program
I need to limit user action on several machines. Those machines used to be thin clients and now are normal personal computers joined to the domain. Is it possible with a GPO or a third party tool to force users to use only one designated program on the desktop? Machines are windows 10 pro and domain controllers windows server 2012
If you want to do this for all users of the systems, the following registry key may be used to change the shell to a different executable:
Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Value: Shell
Value Type: REG_SZ
This may be either a path to an executable, or a cmd script.
This does not handle the exit code of the application gracefully. If the shell is an executable, after the application is closed, they would need to CTRL-ALT-DELETE and log off. If it is a cmd script, it could contain something like && LOGOFF in the script, but the CMD Window is visible and is klunky.
The most optimal approach to do would be to create your own custom executable that runs with no Window, specify that as the shell. It launches the required application, suppresses any undesirable key combinations, then performs a logoff after the application is closed. It could also have other filters such as it only applies to members of specific groups/excludes Administrators, etc.
Sample here:
https://github.com/GregAskew/ShellLauncher