Applying a restrictive desktop policy to a single Windows 2000 Server
Posted on 2004-11-03
Okay, I've got to the point of giving myself a headache with this one, so I thought I'd throw it out to you guys...
First of all a bit of background: We have multiple sites, all have a BDC, with the PDC at our central site (Yes I know... we're still using NT4!). So with the exception of domain controllers, all other servers and all workstations are running Windows 2000 (SP4).
The problem: I have a single server running Terminal Services in Application mode. Users will logon through a TSWeb connection to the server and authenticate with their own NT accounts. I only want the users to be able to run a particular application on the server, and have no access to My Computer, Run, Settings etc...
So far, I've created a group policy (NT Policy that is... not a GPO, we don't have W2K DC's remember), and the associated NT group. When I plonk a test user in the group and logon to the server, it's all nicely locked down. The issue is that I can't put the live users into the group as it will also lock down their workstations (and anything else they logon to!) which is no good.
To Conclude: I need to find a way of applying a policy to several users which locks down a single servers desktop environment, but doesn't affect anything else. I can't use machine policies, as they don't have the necessary options to restrict the features I need disabling.
Any help would be greatly appreciated. Thanks.