General discussion

Locked

Terminal Services security lockdown

By Craig IT Mangaer ·
I am trying to keep users from having access to key components and options on the terminal server, such as the shutdown option. Problem is that if I create a policy to block this than they can't shutdown their win2k pro workstation. I eliminated most items in the profile but certain things you can't get rid of without a group policy. I tried applying the group policy to just the server but that didn't work since the policies that did take affect hampered the adminitstrator account as well even though I created a no overide policy for the admins. I assume these are buried in the registry somewhere. Any suggestions?

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Terminal Services security lockdown

by cportman In reply to Terminal Services securit ...

Create an OU for the server, place it in the OU, apply the group policy.

Make sure the Admins group does not have Read rights and Apply Group policy rights to the Group policy object.

good luck
cp

Collapse -

Terminal Services security lockdown

by Craig IT Mangaer In reply to Terminal Services securit ...

You would think that would work but it doesn't. Policies applied to a computer doesn't affect that individual users that log on to it. I even tried creating a policy and blocking pc's that I didn't want it to apply to but that didn't work.

Collapse -

Terminal Services security lockdown

by nbcasey In reply to Terminal Services securit ...

The previous poster almost had it right. Create an OU and put your terminal server in it. Create the policies as you like them on the OU. Check the deny column for domain admins in the "Apply group policy" on the security tab. On the server itself, open up the local group policy and enable Group Policy Loopback processing. (If you try to set this option from the OU, it wont work.) You may also think about implementing Terminal Server profiles to keep them seperate from their local ones. Good luck.

Nathan

Collapse -

Terminal Services security lockdown

by Craig IT Mangaer In reply to Terminal Services securit ...

Where would you find such an animal? I haven't found anything that would in affect work as a tool to edit/lookup a local group policy.

Collapse -

Terminal Services security lockdown

by nbcasey In reply to Terminal Services securit ...

In windows 2000, hit start, run and type in MMC. Add a snap in called Group Polices and choose the local machine. Expand Local Computer Policies and under the computer configuration, administrative templates, system, group policy, enable User group policy loopback processing mode. Choose replace or merge. I usually replace. Once you have that set, either reboot the server or open a command prompt and type "secedit /refreshpolicy machine_policy /enforce" then "secedit /refreshpolicy user_policy/enforce". Some options will require a reboot to work.

Collapse -

Terminal Services security lockdown

by Craig IT Mangaer In reply to Terminal Services securit ...

You da man. Thanks! I just love microsofts hidden features.

Collapse -

Terminal Services security lockdown

by Craig IT Mangaer In reply to Terminal Services securit ...

This question was closed by the author

Back to Windows Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums