kucelkj
asked on
Hide "Administrative Tools" from a group of non-administrator users via Group Policy
I’m running Terminal Services on a Windows 20003 R2 server. The server is a domain controller as well.
I'm trying to do two things with this server:
1. Hide "Administrative Tools" from a group of non-administrator users via Group Policy. Is that possible? I saw registry changes on the net but prefer to do it through a GPO.
2. Disallow savvy users from running the commands in "Administrative Tools" such as dsa.msc, dssite.msc and domain.msc from a command prompt or start->run. Again, I'd like to do this with a GPO.
Thanks,
-Ken
I'm trying to do two things with this server:
1. Hide "Administrative Tools" from a group of non-administrator users via Group Policy. Is that possible? I saw registry changes on the net but prefer to do it through a GPO.
2. Disallow savvy users from running the commands in "Administrative Tools" such as dsa.msc, dssite.msc and domain.msc from a command prompt or start->run. Again, I'd like to do this with a GPO.
Thanks,
-Ken
ASKER
AustinComputer,
I've found this solution after I posted the question but thanks for you help. This addresses question 2. Do you have any advice for question 1?
Thanks,
-Ken
I've found this solution after I posted the question but thanks for you help. This addresses question 2. Do you have any advice for question 1?
Thanks,
-Ken
ASKER
Okay, that solution did work!! :) Thanks!
Now, is there a way to hide it so it doesn't even appear?
Now, is there a way to hide it so it doesn't even appear?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome, Thanks!
ASKER
Thanks so much for the help!!
Glad I could help.
Rick
Rick
Open the GPO in gpedit.msc and go to:
User Config\Administrative Templates\Windows Components\Microsoft Management Console\ and restrict access to author mode and any MMC snap ins you don't want them to get to.
Be sure that the computer side is in loopback mode if you don't already have a policy on your TS OU that does this:
Computer Config\Administrative Templates\System\Group Policy\User Group Policy Loopback Processing Mode = enabled.
Once the policy is created, it is a good idea to deny apply rights to the administrative staff that supports the server.