Solved

Windows 2000 local computer policy

Posted on 2004-04-29
4
433 Views
Last Modified: 2013-12-04
I have a Windows 2000 Server with Terminal Services installed, and planning to allow remote users run database application through web interface. For security reason, I went in to LOCAL COMPUTER POLICY ==> USER CONFIGURATION ==> ADMINISTRATIVE TEMPLATES ==> SYSTEM and set "Run only allowed application" to one data base app. And now I can only run that database application eventhough I login as administrator. Totally I cannot run or do anything with my server beside running that database application. Thank you in advance for any help.

Lloyd
0
Comment
Question by:dhuynh3
  • 2
4 Comments
 
LVL 4

Expert Comment

by:matalyn1016
ID: 10955359
Make sure the “Apply Group Policy” is not checked on the Securetiy tab for Domain Admins. Check the “apply to admin” in your advanced securety settings of the GPO in question as well. Also make sure you are a “member of” the domain admins group not just the administrators group.

Applying the policy at the domain level may cause the problem as well. Create a TS group and add the users to it - apply the policy to that group and make sure the admin in question is not a part of that group. This should help.

Let me know..
0
 

Author Comment

by:dhuynh3
ID: 10962322
The Windows 2000 Server with Terminal Services is a member server of NT 4.0 Domain. The policy I set is local to Windows 2000 Server with Terminal Services. Is like I lock myself out without a key to get back in. I cannot run any Windows built in programs or admin tools. Are there any way retake control of the server beside reinstall entire server?

Thanks for your comment

Lloyd
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 10963025
It should be in fact rather simple.
Map the server's C$ from another machine (as Administrator obviously).
In Windows Explorer, right-click on %Server-Systemroot%\system32\GroupPolicy, choose Properties, click on the "Security" tab. The default setting is "Full Control" for Administrators. Change that to "Deny Read"; ignore the warning.
Log on locally to the server.
Undo the change to the security settings (either locally or from the remote machine, doesn't really matter).
Open gpedit.msc again and undo the restriction(s) immediately.
Log off and back on, and you should be fine.

Here's a better way:
Group Policies for Windows 2000 Professional Clients in Windows NT 4.0 Domain or Workgroups
http://support.microsoft.com/?kbid=274478

Guide to MS Windows NT 4.0 Profiles and Policies
http://www.microsoft.com/technet/prodtechnol/winntas/maintain/prof_pol.mspx

You can use poledit.exe from your W2k machine to create a policy file for your Terminal Server, for example NTConfigTS.pol, and apply it to your Terminal Server using the "NetworkPath" setting described in the article. That will allow you to define groups for which to apply the settings.
But, as usual, treat policies with extreme care. Test them on a separate system before you apply them in earnest. It's quite easy to do serious damage to a user profile or even the system itself if you're not careful.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 10963057
Oh, forgot to mention this; depending on what you're planning to restrict, it might already be enough:

HOW TO: Apply Local Policies to all Users Except Administrators on Windows 2000 in a Workgroup Setting
http://support.microsoft.com/?kbid=293655
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question