Applying a restrictive desktop policy to a single Windows 2000 Server

Posted on 2004-11-03
Last Modified: 2010-04-14
Okay, I've got to the point of giving myself a headache with this one, so I thought I'd throw it out to you guys...

First of all a bit of background: We have multiple sites, all have a BDC, with the PDC at our central site (Yes I know... we're still using NT4!). So with the exception of domain controllers, all other servers and all workstations are running Windows 2000 (SP4).

The problem: I have a single server running Terminal Services in Application mode. Users will logon through a TSWeb connection to the server and authenticate with their own NT accounts. I only want the users to be able to run a particular application on the server, and have no access to My Computer, Run, Settings etc...
So far, I've created a group policy (NT Policy that is... not a GPO, we don't have W2K DC's remember), and the associated NT group. When I plonk a test user in the group and logon to the server, it's all nicely locked down. The issue is that I can't put the live users into the group as it will also lock down their workstations (and anything else they logon to!) which is no good.

To Conclude: I need to find a way of applying a policy to several users which locks down a single servers desktop environment, but doesn't affect anything else. I can't use machine policies, as they don't have the necessary options to restrict the features I need disabling.

Any help would be greatly appreciated. Thanks.
Question by:mitchet
    LVL 82

    Accepted Solution

    Simply create an additional policy file, for example NTConfigTS.pol with the lock down settings; put it into the netlogon share as well.
    Then change the UpdateMode and NetworkPath registry settings on your Terminal Server to 2 and "%Logonserver%\netlogon\NTConfigTS.pol", respectively (see article below for further information). (Do I need to mention that you need to reboot the server for this change to apply?)
    Your Terminal Server will then stop processing the usual NTConfig.pol file, it will process the NTConfigTS.pol file instead. Everything else stays just the same.
    You can of course test the new NTConfigTS.pol file with a regular workstation first by applying the same changes to it.

    Guide to MS Windows NT 4.0 Profiles and Policies
    LVL 1

    Author Comment

    Excellent - That works a treat!! Thanks very much oBda.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now