Solved

Windows 2000 local computer policy

Posted on 2004-04-29
4
431 Views
Last Modified: 2013-12-04
I have a Windows 2000 Server with Terminal Services installed, and planning to allow remote users run database application through web interface. For security reason, I went in to LOCAL COMPUTER POLICY ==> USER CONFIGURATION ==> ADMINISTRATIVE TEMPLATES ==> SYSTEM and set "Run only allowed application" to one data base app. And now I can only run that database application eventhough I login as administrator. Totally I cannot run or do anything with my server beside running that database application. Thank you in advance for any help.

Lloyd
0
Comment
Question by:dhuynh3
  • 2
4 Comments
 
LVL 4

Expert Comment

by:matalyn1016
ID: 10955359
Make sure the “Apply Group Policy” is not checked on the Securetiy tab for Domain Admins. Check the “apply to admin” in your advanced securety settings of the GPO in question as well. Also make sure you are a “member of” the domain admins group not just the administrators group.

Applying the policy at the domain level may cause the problem as well. Create a TS group and add the users to it - apply the policy to that group and make sure the admin in question is not a part of that group. This should help.

Let me know..
0
 

Author Comment

by:dhuynh3
ID: 10962322
The Windows 2000 Server with Terminal Services is a member server of NT 4.0 Domain. The policy I set is local to Windows 2000 Server with Terminal Services. Is like I lock myself out without a key to get back in. I cannot run any Windows built in programs or admin tools. Are there any way retake control of the server beside reinstall entire server?

Thanks for your comment

Lloyd
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 10963025
It should be in fact rather simple.
Map the server's C$ from another machine (as Administrator obviously).
In Windows Explorer, right-click on %Server-Systemroot%\system32\GroupPolicy, choose Properties, click on the "Security" tab. The default setting is "Full Control" for Administrators. Change that to "Deny Read"; ignore the warning.
Log on locally to the server.
Undo the change to the security settings (either locally or from the remote machine, doesn't really matter).
Open gpedit.msc again and undo the restriction(s) immediately.
Log off and back on, and you should be fine.

Here's a better way:
Group Policies for Windows 2000 Professional Clients in Windows NT 4.0 Domain or Workgroups
http://support.microsoft.com/?kbid=274478

Guide to MS Windows NT 4.0 Profiles and Policies
http://www.microsoft.com/technet/prodtechnol/winntas/maintain/prof_pol.mspx

You can use poledit.exe from your W2k machine to create a policy file for your Terminal Server, for example NTConfigTS.pol, and apply it to your Terminal Server using the "NetworkPath" setting described in the article. That will allow you to define groups for which to apply the settings.
But, as usual, treat policies with extreme care. Test them on a separate system before you apply them in earnest. It's quite easy to do serious damage to a user profile or even the system itself if you're not careful.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 10963057
Oh, forgot to mention this; depending on what you're planning to restrict, it might already be enough:

HOW TO: Apply Local Policies to all Users Except Administrators on Windows 2000 in a Workgroup Setting
http://support.microsoft.com/?kbid=293655
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now