Solved

Windows 2000 local computer policy

Posted on 2004-04-29
4
432 Views
Last Modified: 2013-12-04
I have a Windows 2000 Server with Terminal Services installed, and planning to allow remote users run database application through web interface. For security reason, I went in to LOCAL COMPUTER POLICY ==> USER CONFIGURATION ==> ADMINISTRATIVE TEMPLATES ==> SYSTEM and set "Run only allowed application" to one data base app. And now I can only run that database application eventhough I login as administrator. Totally I cannot run or do anything with my server beside running that database application. Thank you in advance for any help.

Lloyd
0
Comment
Question by:dhuynh3
  • 2
4 Comments
 
LVL 4

Expert Comment

by:matalyn1016
ID: 10955359
Make sure the “Apply Group Policy” is not checked on the Securetiy tab for Domain Admins. Check the “apply to admin” in your advanced securety settings of the GPO in question as well. Also make sure you are a “member of” the domain admins group not just the administrators group.

Applying the policy at the domain level may cause the problem as well. Create a TS group and add the users to it - apply the policy to that group and make sure the admin in question is not a part of that group. This should help.

Let me know..
0
 

Author Comment

by:dhuynh3
ID: 10962322
The Windows 2000 Server with Terminal Services is a member server of NT 4.0 Domain. The policy I set is local to Windows 2000 Server with Terminal Services. Is like I lock myself out without a key to get back in. I cannot run any Windows built in programs or admin tools. Are there any way retake control of the server beside reinstall entire server?

Thanks for your comment

Lloyd
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 10963025
It should be in fact rather simple.
Map the server's C$ from another machine (as Administrator obviously).
In Windows Explorer, right-click on %Server-Systemroot%\system32\GroupPolicy, choose Properties, click on the "Security" tab. The default setting is "Full Control" for Administrators. Change that to "Deny Read"; ignore the warning.
Log on locally to the server.
Undo the change to the security settings (either locally or from the remote machine, doesn't really matter).
Open gpedit.msc again and undo the restriction(s) immediately.
Log off and back on, and you should be fine.

Here's a better way:
Group Policies for Windows 2000 Professional Clients in Windows NT 4.0 Domain or Workgroups
http://support.microsoft.com/?kbid=274478

Guide to MS Windows NT 4.0 Profiles and Policies
http://www.microsoft.com/technet/prodtechnol/winntas/maintain/prof_pol.mspx

You can use poledit.exe from your W2k machine to create a policy file for your Terminal Server, for example NTConfigTS.pol, and apply it to your Terminal Server using the "NetworkPath" setting described in the article. That will allow you to define groups for which to apply the settings.
But, as usual, treat policies with extreme care. Test them on a separate system before you apply them in earnest. It's quite easy to do serious damage to a user profile or even the system itself if you're not careful.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 10963057
Oh, forgot to mention this; depending on what you're planning to restrict, it might already be enough:

HOW TO: Apply Local Policies to all Users Except Administrators on Windows 2000 in a Workgroup Setting
http://support.microsoft.com/?kbid=293655
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now