Applying a restrictive desktop policy to a single Windows 2000 Server

Okay, I've got to the point of giving myself a headache with this one, so I thought I'd throw it out to you guys...

First of all a bit of background: We have multiple sites, all have a BDC, with the PDC at our central site (Yes I know... we're still using NT4!). So with the exception of domain controllers, all other servers and all workstations are running Windows 2000 (SP4).

The problem: I have a single server running Terminal Services in Application mode. Users will logon through a TSWeb connection to the server and authenticate with their own NT accounts. I only want the users to be able to run a particular application on the server, and have no access to My Computer, Run, Settings etc...
So far, I've created a group policy (NT Policy that is... not a GPO, we don't have W2K DC's remember), and the associated NT group. When I plonk a test user in the group and logon to the server, it's all nicely locked down. The issue is that I can't put the live users into the group as it will also lock down their workstations (and anything else they logon to!) which is no good.

To Conclude: I need to find a way of applying a policy to several users which locks down a single servers desktop environment, but doesn't affect anything else. I can't use machine policies, as they don't have the necessary options to restrict the features I need disabling.

Any help would be greatly appreciated. Thanks.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simply create an additional policy file, for example NTConfigTS.pol with the lock down settings; put it into the netlogon share as well.
Then change the UpdateMode and NetworkPath registry settings on your Terminal Server to 2 and "%Logonserver%\netlogon\NTConfigTS.pol", respectively (see article below for further information). (Do I need to mention that you need to reboot the server for this change to apply?)
Your Terminal Server will then stop processing the usual NTConfig.pol file, it will process the NTConfigTS.pol file instead. Everything else stays just the same.
You can of course test the new NTConfigTS.pol file with a regular workstation first by applying the same changes to it.

Guide to MS Windows NT 4.0 Profiles and Policies

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mitchetAuthor Commented:
Excellent - That works a treat!! Thanks very much oBda.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.