Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 158
  • Last Modified:

Applying a restrictive desktop policy to a single Windows 2000 Server

Okay, I've got to the point of giving myself a headache with this one, so I thought I'd throw it out to you guys...

First of all a bit of background: We have multiple sites, all have a BDC, with the PDC at our central site (Yes I know... we're still using NT4!). So with the exception of domain controllers, all other servers and all workstations are running Windows 2000 (SP4).

The problem: I have a single server running Terminal Services in Application mode. Users will logon through a TSWeb connection to the server and authenticate with their own NT accounts. I only want the users to be able to run a particular application on the server, and have no access to My Computer, Run, Settings etc...
So far, I've created a group policy (NT Policy that is... not a GPO, we don't have W2K DC's remember), and the associated NT group. When I plonk a test user in the group and logon to the server, it's all nicely locked down. The issue is that I can't put the live users into the group as it will also lock down their workstations (and anything else they logon to!) which is no good.

To Conclude: I need to find a way of applying a policy to several users which locks down a single servers desktop environment, but doesn't affect anything else. I can't use machine policies, as they don't have the necessary options to restrict the features I need disabling.

Any help would be greatly appreciated. Thanks.
1 Solution
Simply create an additional policy file, for example NTConfigTS.pol with the lock down settings; put it into the netlogon share as well.
Then change the UpdateMode and NetworkPath registry settings on your Terminal Server to 2 and "%Logonserver%\netlogon\NTConfigTS.pol", respectively (see article below for further information). (Do I need to mention that you need to reboot the server for this change to apply?)
Your Terminal Server will then stop processing the usual NTConfig.pol file, it will process the NTConfigTS.pol file instead. Everything else stays just the same.
You can of course test the new NTConfigTS.pol file with a regular workstation first by applying the same changes to it.

Guide to MS Windows NT 4.0 Profiles and Policies
mitchetAuthor Commented:
Excellent - That works a treat!! Thanks very much oBda.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now