Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows 2000 local computer policy

Posted on 2004-04-29
4
Medium Priority
?
440 Views
Last Modified: 2013-12-04
I have a Windows 2000 Server with Terminal Services installed, and planning to allow remote users run database application through web interface. For security reason, I went in to LOCAL COMPUTER POLICY ==> USER CONFIGURATION ==> ADMINISTRATIVE TEMPLATES ==> SYSTEM and set "Run only allowed application" to one data base app. And now I can only run that database application eventhough I login as administrator. Totally I cannot run or do anything with my server beside running that database application. Thank you in advance for any help.

Lloyd
0
Comment
Question by:dhuynh3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 4

Expert Comment

by:matalyn1016
ID: 10955359
Make sure the “Apply Group Policy” is not checked on the Securetiy tab for Domain Admins. Check the “apply to admin” in your advanced securety settings of the GPO in question as well. Also make sure you are a “member of” the domain admins group not just the administrators group.

Applying the policy at the domain level may cause the problem as well. Create a TS group and add the users to it - apply the policy to that group and make sure the admin in question is not a part of that group. This should help.

Let me know..
0
 

Author Comment

by:dhuynh3
ID: 10962322
The Windows 2000 Server with Terminal Services is a member server of NT 4.0 Domain. The policy I set is local to Windows 2000 Server with Terminal Services. Is like I lock myself out without a key to get back in. I cannot run any Windows built in programs or admin tools. Are there any way retake control of the server beside reinstall entire server?

Thanks for your comment

Lloyd
0
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 10963025
It should be in fact rather simple.
Map the server's C$ from another machine (as Administrator obviously).
In Windows Explorer, right-click on %Server-Systemroot%\system32\GroupPolicy, choose Properties, click on the "Security" tab. The default setting is "Full Control" for Administrators. Change that to "Deny Read"; ignore the warning.
Log on locally to the server.
Undo the change to the security settings (either locally or from the remote machine, doesn't really matter).
Open gpedit.msc again and undo the restriction(s) immediately.
Log off and back on, and you should be fine.

Here's a better way:
Group Policies for Windows 2000 Professional Clients in Windows NT 4.0 Domain or Workgroups
http://support.microsoft.com/?kbid=274478

Guide to MS Windows NT 4.0 Profiles and Policies
http://www.microsoft.com/technet/prodtechnol/winntas/maintain/prof_pol.mspx

You can use poledit.exe from your W2k machine to create a policy file for your Terminal Server, for example NTConfigTS.pol, and apply it to your Terminal Server using the "NetworkPath" setting described in the article. That will allow you to define groups for which to apply the settings.
But, as usual, treat policies with extreme care. Test them on a separate system before you apply them in earnest. It's quite easy to do serious damage to a user profile or even the system itself if you're not careful.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 10963057
Oh, forgot to mention this; depending on what you're planning to restrict, it might already be enough:

HOW TO: Apply Local Policies to all Users Except Administrators on Windows 2000 in a Workgroup Setting
http://support.microsoft.com/?kbid=293655
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question