Only 1 Application

For various reasons it might be needed to give users only 1 Application. This can easily be accomplished with AADS Application Control.

Prerequisites

Because the intention is to assign 1 Application to 1 or more Users,
and because every User is always member of the group "Users",
there should be no Applications assigned to the group "Users".

For example, if you assign 5 Applications to the group "Users",
then all Users will get assigned at least these 5 Applications,
and it will not be possible anymore to assign only 1 Application to 1 ore more Users...

The group "Users" has no Applications assigned.

Do not assign Applications to the group "Domain Users"

What is stated about the group "Users" does also apply to the group "Domain Users".

The group "Domain Users" has no Applications assigned.

Do not assign Applications to the group "Remote Desktop Users"

What is stated about the group "Users" does also apply to the group "Remote Desktop Users".

The group "Remote Desktop Users" has no Applications assigned.

Do first a complete Windows Session

When it is intended that an user / users will only get 1 Application,
before configuring AADS and this 1 Application,
login with every username and password,
such that the initial Windows-processes, like creating the Profile, Home-folder, Registry, etc,
can be done by Windows.

• Do 1 normal Login with the username and password.
• Handle all those initial questions about Advertise ID, Location, etc.
  
  
• Logoff the user.
• Configure the "Only 1 Application" for the user after the user has done at least 1 complete Login and Logoff with a default Windows Desktop.

If Windows has not been able to do all this initial stuff, all kind of "strange" errors might happen because files, folders, registry-settings, etc are missing.

Example 1

This Example is based on an stand-alone AADServer running on Windows 11.

On the local AADServer, 3 groups are defined:

Application Control is done as follows:

Users who are member of "MultiApp_1" get the see the following Desktop:

Users who are member of "SingleApp_1" get the see the following Desktop:

When it is about "Only 1 Application", it is about "visible Applications". The group "SingleApp_1" can have more Applications assigned, as long as there is only 1 visible Application. The "$" sign in front of an Application makes the Application "invisible".

It might be needed to assign 1 or more "invisible" Applications, such that the 1 and only visible Application works properly. For example, it might be needed to start some "plugin-application", or a "database-application".
In this example an "invisible aads directive" is added to the group: $aad Apply Restrict Control, such to make sure that nothing else can be started by the user.

• See Property: Display Name for the "$" that makes an Application "invisible"; the Application will not appear as an Item in the Start Menu of the User.
  
• See Property: Startup , AutoRun and Visible:
  • When AutoRun is selected, the Application will be started immediatly after the Logon.
  • When Visible is de -selected, the Application will be started with the instruction to Windows not to show the Application;
    with the instruction to "hide" the Application from the Desktop while it is running.

  • 	AutoRun
    	Visible

Application Control Settings

In these Examples, the Application Control Settings are as follows:

Users who do not belong to "MultiApp_1", "MultiApp_2" and "SingleApp_1", get to see a default, complete desktop.
Because of that, in "Optimize" the settings for disable the Windows Start Menu is de-selected:

Users who are member of "MultiApp_2" get the see the following Desktop:

Because the group "MultiApp_2" has no Applications assigned in this example,
and because of the setting: "Default a user sees a complete desktop, unless additional settings apply for the user",
the users who are member of the group "MultiApp_2" do see a complete desktop.

Once the Administrator has assigned 1 or more Applications to "MultiApp_2",
members of the group "MultiApp_2" get to see a desktop with only these assigned Applications.

Example 2

This Example is based on an AADServer running on Server 2022, joined to a Domain.

In the Domain, 3 Groups are defined:

•   MultiApp_1
  
•   MultiApp_2
  MultiApp_2 has no Users yet, but is "ready for use in the (near) future".
  
•   SingleApp_1

Application Control is done as follows:

Users who are member of "MultiApp_1" get the see the following Desktop:

Users who are member of "SingleApp_1" get the see the following Desktop:

When it is about "Only 1 Application", it is about "visible Applications". The group "SingleApp_1" can have more Applications assigned, as long as there is only 1 visible Application. The "$" sign in front of an Application makes the Application "invisible".

It might be needed to assign 1 or more "invisible" Applications, such that the 1 and only visible Application works properly. For example, it might be needed to start some "plugin-application", or a "database-application".
In this example an "invisible aads directive" is added to the group: $aad Apply Restrict Control, such to make sure that nothing else can be started by the user.

• See Property: Display Name for the "$" that makes an Application "invisible"; the Application will not appear as an Item in the Start Menu of the User.
  
• See Property: Startup , AutoRun and Visible:
  • When AutoRun is selected, the Application will be started immediatly after the Logon.
  • When Visible is de -selected, the Application will be started with the instruction to Windows not to show the Application;
    with the instruction to "hide" the Application from the Desktop while it is running.

  • 	AutoRun
    	Visible

The group "MultiApp_2" is not yet used in this Example.
It is recommended the define groups in the Domain with names like "SingleApp_1", "SingleApp_2", etc,
and "MultiApp_1" , "MultiApp_2" , etc,
such that you are ready for the need to do more specific Application Control in the (near) future.

Application Control Settings

In these Examples, the Application Control Settings are as follows:

Users who do not belong to "MultiApp_1", "MultiApp_2" and "SingleApp_1", get to see a default, complete desktop.
Because of that, in "Optimize" the settings for disable the Windows Start Menu is de-selected:

The user "domain012" does not belong to "MultiApp_1", "MultiApp_2" and "SingleApp_1", and therefore gets to see a default, complete desktop:

Note: This "default Windows Menu" does also show why AADS Application Control might be a better menu;
the user "domain012" is not an Administrator, but Windows Server 2022 gives this user a menu with items like "Server Manager" for which the user has no rights...

Example 3

It is also possible to use the directive $aad Start Menu Lock . Using this directive:

• 1 (or more...) Application(s) can be assigned to a User or Group.
• Applications can be configured for AutoStart  and Auto-ReStart
• There is no Desktop, Start Menu or Taskbar. The User only gets to see the assinged Application(s).