We want to set up a server that is configured for Remote Desktop access for a small group of users that will be running a couple of applications from a remote location. Setting up the Remote Desktop portion was a piece of cake but now I want to disable the Control Panel and Administrative tools on the Start menu. Obviously we can't allow just any user to be making changes that could affect everybody else using the server. I found several articles that provide information about configuring the Local Policies/Administrative Templates to disable the Control Panel but they didn't convey how to disable the Control Panel for normal users while making it available for the Administrator, either local or domain. Our network is setup as a Windows 2003 domain so it's possible to configure the group policies in Active Directory to disable the Control Panel but it disabled it for all of the accounts including the Administrator accounts and it did it on all of the servers on the domain. I believe that the answer may be in using Organization Units but I have been able to figure out how to configure them to target only the server providing the Remote Desktop applications.
So here's what I need. I need to know how to configure either the local policy on the Remote desktop server or the domain group policies so that they disable the Control Panel and eventually the Administrative Tools for the normal domain user accounts that are logging in via remote desktop while still allowing the Administrator to be able to access and use the applications in both of these panels. I believe the policy should apply only to the remote desktop server but I suppose it wouldn't hurt if it applied to all of the servers as long as the Administrator was still able to access these applications.
I seem to be dancing all around this but I am never able to find the right combination that will accomplish what I'm trying to do.