Solved

Windows 2000 local computer policy

Posted on 2004-04-29
4
439 Views
Last Modified: 2013-12-04
I have a Windows 2000 Server with Terminal Services installed, and planning to allow remote users run database application through web interface. For security reason, I went in to LOCAL COMPUTER POLICY ==> USER CONFIGURATION ==> ADMINISTRATIVE TEMPLATES ==> SYSTEM and set "Run only allowed application" to one data base app. And now I can only run that database application eventhough I login as administrator. Totally I cannot run or do anything with my server beside running that database application. Thank you in advance for any help.

Lloyd
0
Comment
Question by:dhuynh3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 4

Expert Comment

by:matalyn1016
ID: 10955359
Make sure the “Apply Group Policy” is not checked on the Securetiy tab for Domain Admins. Check the “apply to admin” in your advanced securety settings of the GPO in question as well. Also make sure you are a “member of” the domain admins group not just the administrators group.

Applying the policy at the domain level may cause the problem as well. Create a TS group and add the users to it - apply the policy to that group and make sure the admin in question is not a part of that group. This should help.

Let me know..
0
 

Author Comment

by:dhuynh3
ID: 10962322
The Windows 2000 Server with Terminal Services is a member server of NT 4.0 Domain. The policy I set is local to Windows 2000 Server with Terminal Services. Is like I lock myself out without a key to get back in. I cannot run any Windows built in programs or admin tools. Are there any way retake control of the server beside reinstall entire server?

Thanks for your comment

Lloyd
0
 
LVL 85

Accepted Solution

by:
oBdA earned 500 total points
ID: 10963025
It should be in fact rather simple.
Map the server's C$ from another machine (as Administrator obviously).
In Windows Explorer, right-click on %Server-Systemroot%\system32\GroupPolicy, choose Properties, click on the "Security" tab. The default setting is "Full Control" for Administrators. Change that to "Deny Read"; ignore the warning.
Log on locally to the server.
Undo the change to the security settings (either locally or from the remote machine, doesn't really matter).
Open gpedit.msc again and undo the restriction(s) immediately.
Log off and back on, and you should be fine.

Here's a better way:
Group Policies for Windows 2000 Professional Clients in Windows NT 4.0 Domain or Workgroups
http://support.microsoft.com/?kbid=274478

Guide to MS Windows NT 4.0 Profiles and Policies
http://www.microsoft.com/technet/prodtechnol/winntas/maintain/prof_pol.mspx

You can use poledit.exe from your W2k machine to create a policy file for your Terminal Server, for example NTConfigTS.pol, and apply it to your Terminal Server using the "NetworkPath" setting described in the article. That will allow you to define groups for which to apply the settings.
But, as usual, treat policies with extreme care. Test them on a separate system before you apply them in earnest. It's quite easy to do serious damage to a user profile or even the system itself if you're not careful.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 10963057
Oh, forgot to mention this; depending on what you're planning to restrict, it might already be enough:

HOW TO: Apply Local Policies to all Users Except Administrators on Windows 2000 in a Workgroup Setting
http://support.microsoft.com/?kbid=293655
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question