Skip to main content

How to give access to Windows Apps on ChromeOS (or other devices) fairly cheaply

There has been some interest in giving access to a Windows desktop on ChromeOS in recent months. Some high end solutions involving VDI and server graphics acceleration are coming to the market. However, if you just want a standard rdp connection, you can do that now with using a terminal server and an appropriately deployed rdp app.

What do you need?

  • Server(s) with enough power to handle the number of users you have.
  • An appropriate Microsoft Licence - e.g. a schools agreement with a spare server licence.
  • A free external IP address - optional - only needed for offsite access.
  • A mandatory windows profile you can use.

Our latest remote desktop server is made out of bit from Ebay - I have a separate blog post about it here. For decent performance, you need as many cores and memory as you can afford. In addition, a fast hard disk array - we now use 4 SSD's in RAID 10.

How you configure it is up to you, but we have ESXi 5.5 running on our servers and on this box the rdp VM runs on 8 cores and 24Gb RAM. This suits our purposes and allow other VMs to run on this machine.

You will need to install either Server 2008R2 (gives Windows 7 style desktop) or Server 2012R2 (gives Windows 8.1 style desktop).
There are many good guide to setting up the remote desktop role on both Server 2008R2 and Server 2012R2 - but the rough sequence is:
  • Install the OS
  • Domain join the server (activate windows if you are not running KMS - which you probably are).
  • Install the remote desktop server role. Here you have an option for a session based service (which we use) or virtual desktop service (this has some advantages but will require more setup and far more server resources).
  • Licence the server - so you need to issue CALs by machine or user. You will need your school agreement number to activate the service - otherwise it will run as a trial.
  • Setup you session parameters - so who has access and what their user experience is like.
  • Install software on the server that you want users to access - e.g. Office.
  • Remove access to admin tools and powershell. You need to manually delete the links to these. These are in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
  • Apply appropriate group policies to the server. So this normally means applying a loopback policy that enables you to apply policies that only apply when a user logs onto the server. The key one is to apply a mandatory policy and delete the local user policy on logoff. This assumes you use group policies to prevent users from fiddling with any system setting - which we do (I use the 'merge' option which take the normal policies applied to a user and merges them with the machine specific with the machine specific one taking preference).

You will need an appropriate mandatory profile - here is a good server 2008R2 guide. This sets things like the default pins to the taskbar and so on.

Once all this is setup, you should be able to use the remote desktop app on a PC to logon to your server as one of your regular users. Check they cannot do anything you don't want them to be able to do.

Within local DNS, its nice to give the server a friendly name thats easy to remember and if you are going for offsite access - make this the same as the offsite name.

Off Site
To allow off site access you will need to create a firewall rule that maps your public IP address to you server's local IP address. We use ClearOS and this is quite easy to do with a 1:1 NAT rule. You will allow need to allow port 3389 for this rule. In your web hosting, you could add an A record to map that public IP address to something like - so users don't need to put in an IP address to connect externally.

The ChromeOS bit is easy. Simply deploy the AccessToGo (there are a few apps you could use - but I find this the most user friendly) app via the management console to users - we pin it to the shelf. Users put in the computer name (whatever you have called it in DNS) and click connect - they then get a Windows login screen.

Brief demo of the result:

If you have the server resources and a bit of patience - it does not take too long to set up.We also have the Windows Server Backup feature installed which runs a daily backup just incase something gets broken.

Popular posts from this blog

Delete a specific email using GAM

If a user send an inappropriate email to a loads of people or get stung by some sort of email exploit you can quickly delete the email from all of the recipients using a GAM command.
Step 1 - get the email header Go into Google Vault and search for the offending user or someone known to have got the message.
Click show details and grab the email ID. This will be a long string of characters followed by
Step 2 - find out who has the email Go into Google Vault and find the original message sent by the offending user. Look at the details to see who got it. Copy the list and dump it into a spreadsheet. Clean up to just a list of emails with a column header 'mail'. Save as a csv file.
Step 3 - delete messages with GAM Put your CSV file in your GAM folder - this e.g. assumes its called mail.csv
gam csv mail.csv gam user ~mail delete messages query rfc822msgid:MESSAGEIDHERE doit

The alternative nuke option is:
gam all users delete messages query rfc822msgid:MESSAGEI…

My favorite GAM commands - well a few of them at least!

Where would be without GAM? Paying for expensive syncing tools or doing tedious manual tasks in the admin console. GAM can automate most things you might want to do in G Suite. So these are a few of my favourite commands - one I use either as part of a batch file - or just standalone. There are loads more - but these are ones that are used daily.
Classroom Create a spreadsheet of all your domains classes - gam print courses todrive

Create a spreadsheet of a teacher's classes: gam print courses teacher todrive

Bulk create classes:
gam csv classes.csv gam create course alias ~alias name ~alias section ~subject teacher ~teacher status ACTIVE

where classes.csv is a list of classes you want to make.

Add teachers:
gam csv teachers.csv gam course ~alias add teacher ~teacher

Add students:
gam csv students.csv gam course ~alias add teacher ~student

Sync Students (in this example to a group - but could be an ou/csv file)
gam csv groups.csv gam course ~groupmail sync students g…

How to push bookmarks to users in Chrome via the management console

With the release of Chrome and ChomeOS 37 an update to the management console has arrived that allows you to push bookmarks to users.

Under Device Management > Chrome > User Settings > User Experience you will now find the option to add managed bookmarks.

In the example above, the bookmarks are applied to the sub-OU of 'students' - so all our students will get these bookmarks. Simply add your url and the bookmark name, click the + and save. These will appear in a folder called 'yourdomain bookmarks' - see below:

Be aware that to get these bookmarks applied on a Windows/OS-X device the user must be signed into Chrome. Update: if you install the latest group policy template you can push the bookmarks via policy on PCs - details are given here.
Video Guide: