lockdown desktop without Group Policy

  • Thread starter Thread starter Pearl
  • Start date Start date
P

Pearl

Guest
is there a way to lockdown a Terminal Server session desktop without using
Group Policy?
 
Re: lockdown desktop without Group Policy

You can use the local policy on the server, as well as NTFS
permissions on the file system.
Folder redirection is not possible, though.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07
sep 2007 in microsoft.public.windows.terminal_services:

> is there a way to lockdown a Terminal Server session desktop
> without using Group Policy?
 
Re: lockdown desktop without Group Policy

thanks Vera
I looked at the local policy on the server and it does not appear to have
the ability to do such things as remove icons or deactivate them from the TS
user or only execute a single application from the TS session. Am I correct?

"Vera Noest [MVP]" wrote:

> You can use the local policy on the server, as well as NTFS
> permissions on the file system.
> Folder redirection is not possible, though.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07
> sep 2007 in microsoft.public.windows.terminal_services:
>
> > is there a way to lockdown a Terminal Server session desktop
> > without using Group Policy?
>
 
Re: lockdown desktop without Group Policy

Which icons? You can manually remove all shortcuts which are not
wanted from the Default User profile and Start menu. You can not
redirect the desktop to a custom desktop, because Folder
redirection is not supported with a local policy.
You should be able to define a starting application, but you can
also do that in the Terminal Services Configuration tool.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07
sep 2007 in microsoft.public.windows.terminal_services:

> thanks Vera
> I looked at the local policy on the server and it does not
> appear to have the ability to do such things as remove icons or
> deactivate them from the TS user or only execute a single
> application from the TS session. Am I correct?
>
> "Vera Noest [MVP]" wrote:
>
>> You can use the local policy on the server, as well as NTFS
>> permissions on the file system.
>> Folder redirection is not possible, though.
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on
>> 07 sep 2007 in microsoft.public.windows.terminal_services:
>>
>> > is there a way to lockdown a Terminal Server session desktop
>> > without using Group Policy?
 
Re: lockdown desktop without Group Policy

Actually, our security group is directing this requirement for us. They not
only want the icon removed but deactivated so that the user can not launch it
at all. The icons that they are concerned about are : Network Places, My
computer, Internet Explorer, RUN, ...just about anything that will allow the
user to customize the desktop and anything that is connected to or can be
connected to the network. They would like to lock the desktop down to just
the ability to launch a single application and have that icon on the desktop
ALONE...no wallpaper, also. Strong paranoia.

"Vera Noest [MVP]" wrote:

> Which icons? You can manually remove all shortcuts which are not
> wanted from the Default User profile and Start menu. You can not
> redirect the desktop to a custom desktop, because Folder
> redirection is not supported with a local policy.
> You should be able to define a starting application, but you can
> also do that in the Terminal Services Configuration tool.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07
> sep 2007 in microsoft.public.windows.terminal_services:
>
> > thanks Vera
> > I looked at the local policy on the server and it does not
> > appear to have the ability to do such things as remove icons or
> > deactivate them from the TS user or only execute a single
> > application from the TS session. Am I correct?
> >
> > "Vera Noest [MVP]" wrote:
> >
> >> You can use the local policy on the server, as well as NTFS
> >> permissions on the file system.
> >> Folder redirection is not possible, though.
> >>
> >> _________________________________________________________
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> TS troubleshooting: http://ts.veranoest.net
> >> ___ please respond in newsgroup, NOT by private email ___
> >>
> >> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on
> >> 07 sep 2007 in microsoft.public.windows.terminal_services:
> >>
> >> > is there a way to lockdown a Terminal Server session desktop
> >> > without using Group Policy?
>
 
Re: lockdown desktop without Group Policy

Pearl <Pearl@discussions.microsoft.com> wrote:
> is there a way to lockdown a Terminal Server session desktop without
> using Group Policy?

Sure, many ways. For example, if you're using a standalone or member server
you can do a lot of things with *local* policies. But you may wish to be
more specific about what exactly you're trying to do, and why you're trying
to do it without group policy if you have it as an option....
 
Re: lockdown desktop without Group Policy

thanks for replying. What we'd like to do is setup only Local Users (no AD
users) to access this TServer and still apply desktop restrictions like:
1. limit only a specific application to launch
2. remove and disable key desktop icons like Network Places, My Computer,
Internet Explorer
3. Disable the RUN command
4. Disable the wallpaper and Desktop properties from being customized
5. Not making security tab available to the users
6. Only showing and allowing Logoff....no shutdown
7. Prevent access to the command prompt
8. Prevent users from accessing Registry tools to edit the Registry

I have GPMC and the server is Windows 2003 standard. I am advised that GPMC
will not allow us to configure these restrictions for the User so what other
options do I have?

Thanks in advance


"Lanwench [MVP - Exchange]" wrote:

> Pearl <Pearl@discussions.microsoft.com> wrote:
> > is there a way to lockdown a Terminal Server session desktop without
> > using Group Policy?
>
> Sure, many ways. For example, if you're using a standalone or member server
> you can do a lot of things with *local* policies. But you may wish to be
> more specific about what exactly you're trying to do, and why you're trying
> to do it without group policy if you have it as an option....
>
>
>
 
Re: lockdown desktop without Group Policy

You should be able to do most of that with a local policy. Run
gpedit.msc to edit the local policy.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07
sep 2007 in microsoft.public.windows.terminal_services:

> Actually, our security group is directing this requirement for
> us. They not only want the icon removed but deactivated so that
> the user can not launch it at all. The icons that they are
> concerned about are : Network Places, My computer, Internet
> Explorer, RUN, ...just about anything that will allow the user
> to customize the desktop and anything that is connected to or
> can be connected to the network. They would like to lock the
> desktop down to just the ability to launch a single application
> and have that icon on the desktop ALONE...no wallpaper, also.
> Strong paranoia.
>
> "Vera Noest [MVP]" wrote:
>
>> Which icons? You can manually remove all shortcuts which are
>> not wanted from the Default User profile and Start menu. You
>> can not redirect the desktop to a custom desktop, because
>> Folder redirection is not supported with a local policy.
>> You should be able to define a starting application, but you
>> can also do that in the Terminal Services Configuration tool.
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on
>> 07 sep 2007 in microsoft.public.windows.terminal_services:
>>
>> > thanks Vera
>> > I looked at the local policy on the server and it does not
>> > appear to have the ability to do such things as remove icons
>> > or deactivate them from the TS user or only execute a single
>> > application from the TS session. Am I correct?
>> >
>> > "Vera Noest [MVP]" wrote:
>> >
>> >> You can use the local policy on the server, as well as NTFS
>> >> permissions on the file system.
>> >> Folder redirection is not possible, though.
>> >>
>> >> _________________________________________________________
>> >> Vera Noest
>> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> TS troubleshooting: http://ts.veranoest.net
>> >> ___ please respond in newsgroup, NOT by private email ___
>> >>
>> >> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote
>> >> on 07 sep 2007 in
>> >> microsoft.public.windows.terminal_services:
>> >>
>> >> > is there a way to lockdown a Terminal Server session
>> >> > desktop without using Group Policy?
 
Re: lockdown desktop without Group Policy

Use gpedit.msc
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07
sep 2007 in microsoft.public.windows.terminal_services:

> thanks for replying. What we'd like to do is setup only Local
> Users (no AD users) to access this TServer and still apply
> desktop restrictions like: 1. limit only a specific
> application to launch 2. remove and disable key desktop icons
> like Network Places, My Computer, Internet Explorer
> 3. Disable the RUN command
> 4. Disable the wallpaper and Desktop properties from being
> customized 5. Not making security tab available to the users
> 6. Only showing and allowing Logoff....no shutdown
> 7. Prevent access to the command prompt
> 8. Prevent users from accessing Registry tools to edit the
> Registry
>
> I have GPMC and the server is Windows 2003 standard. I am
> advised that GPMC will not allow us to configure these
> restrictions for the User so what other options do I have?
>
> Thanks in advance
>
>
> "Lanwench [MVP - Exchange]" wrote:
>
>> Pearl <Pearl@discussions.microsoft.com> wrote:
>> > is there a way to lockdown a Terminal Server session desktop
>> > without using Group Policy?
>>
>> Sure, many ways. For example, if you're using a standalone or
>> member server you can do a lot of things with *local* policies.
>> But you may wish to be more specific about what exactly you're
>> trying to do, and why you're trying to do it without group
>> policy if you have it as an option....
 
Re: lockdown desktop without Group Policy

forgot to mention. The SERVER is also not in AD. It is a standalone Server
in our DMZ. I'm assured by our security team that all the necessary setup
will be in place to allow outside remote users to connect to the server as
local users.

"Pearl" wrote:

> thanks for replying. What we'd like to do is setup only Local Users (no AD
> users) to access this TServer and still apply desktop restrictions like:
> 1. limit only a specific application to launch
> 2. remove and disable key desktop icons like Network Places, My Computer,
> Internet Explorer
> 3. Disable the RUN command
> 4. Disable the wallpaper and Desktop properties from being customized
> 5. Not making security tab available to the users
> 6. Only showing and allowing Logoff....no shutdown
> 7. Prevent access to the command prompt
> 8. Prevent users from accessing Registry tools to edit the Registry
>
> I have GPMC and the server is Windows 2003 standard. I am advised that GPMC
> will not allow us to configure these restrictions for the User so what other
> options do I have?
>
> Thanks in advance
>
>
> "Lanwench [MVP - Exchange]" wrote:
>
> > Pearl <Pearl@discussions.microsoft.com> wrote:
> > > is there a way to lockdown a Terminal Server session desktop without
> > > using Group Policy?
> >
> > Sure, many ways. For example, if you're using a standalone or member server
> > you can do a lot of things with *local* policies. But you may wish to be
> > more specific about what exactly you're trying to do, and why you're trying
> > to do it without group policy if you have it as an option....
> >
> >
> >
 
Re: lockdown desktop without Group Policy

Vera
That seems to work fine but it also restricted the administrator. How can I
get back into the server as the administrator and apply the policy to all
users EXCEPT the administrator? I now don't have run nor any of the items I
activated...which is good for the users but not for the administrator.

"Vera Noest [MVP]" wrote:

> Use gpedit.msc
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07
> sep 2007 in microsoft.public.windows.terminal_services:
>
> > thanks for replying. What we'd like to do is setup only Local
> > Users (no AD users) to access this TServer and still apply
> > desktop restrictions like: 1. limit only a specific
> > application to launch 2. remove and disable key desktop icons
> > like Network Places, My Computer, Internet Explorer
> > 3. Disable the RUN command
> > 4. Disable the wallpaper and Desktop properties from being
> > customized 5. Not making security tab available to the users
> > 6. Only showing and allowing Logoff....no shutdown
> > 7. Prevent access to the command prompt
> > 8. Prevent users from accessing Registry tools to edit the
> > Registry
> >
> > I have GPMC and the server is Windows 2003 standard. I am
> > advised that GPMC will not allow us to configure these
> > restrictions for the User so what other options do I have?
> >
> > Thanks in advance
> >
> >
> > "Lanwench [MVP - Exchange]" wrote:
> >
> >> Pearl <Pearl@discussions.microsoft.com> wrote:
> >> > is there a way to lockdown a Terminal Server session desktop
> >> > without using Group Policy?
> >>
> >> Sure, many ways. For example, if you're using a standalone or
> >> member server you can do a lot of things with *local* policies.
> >> But you may wish to be more specific about what exactly you're
> >> trying to do, and why you're trying to do it without group
> >> policy if you have it as an option....
>
 
Re: lockdown desktop without Group Policy

That's one of the disadvantages of local policies, they don't allow
security filtering.
TP posted a way around this a while ago:

From: "TP" <tperson.knowspamn@mailandnews.com>
Subject: Re: local policy and terminal server
Date: Wed, 8 Nov 2006 16:59:42 -0500
Newsgroups: microsoft.public.windows.terminal_services

Here are the instructions for a standalone 2003 server, which can
be summarised with:
1. create a group and user (steps 1 - 4)
2. set permissions and ownership on three folders and a file (
steps 5 - 23)
3. create a shortcut (steps 24 - 27)

INITIAL SETUP

This should be done before attempting any changes to
Group Policy settings.

1. Logon as an administrator
2. Open up Computer Management from Administrative Tools
3. Create a new local group named "GP Editors"
4. Create a new local user named "gpedit". Assign this user
a password, and check "password never expires". Make
this user a member of the GP Editors group.
5. Open up windows explorer and browse to the following
folder (make sure that view hidden files is enabled):
C:\WINDOWS\system32\GroupPolicy
6. Right-click on the GroupPolicy folder and Properties - Security
- Advanced
7. Click the Add button, enter GP Editors in the Select User or
Group dialog, and click OK
8. Check Full Control under the Allow column, and click OK
9. Check "Replace permission entries on all child objects with
entries shown here that apply to child objects"
10. Click the Apply button and confirm Yes twice.
11. On the Owner tab, click the Other Users and Groups button,
enter GP Editors, and click OK.
12. Check "Replace owner on subcontainers and objects"
13. Make sure GP Editors is selected in the Change Owner to list.
14. Click the OK button to change the owner, click OK to close
the GroupPolicy Properties
15. Within the GroupPolicy folder, right-click on the Machine
folder, and choose Properties - Security
16. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column
17. Click OK to save the Deny permission you just made, confirm
by answering Yes twice
18. Within the GroupPolicy folder, right-click on the User folder,
and choose Properties
19. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column
20. Click OK to save the Deny permission you just made, confirm
by answering Yes twice
21. Within the GroupPolicy folder, right-click on the gpt.ini file,
and choose Properties
22. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column
23. Click OK to save the Deny permission you just made, confirm
by answering Yes twice
24. Right-click on the desktop and choose New-->Shortcut
25. Enter the following in the location box:
runas /user:gpedit "%windir%\system32\mmc gpedit.msc"
26. Click Next, and enter "Edit Group Policy" for the name
27. Click Finish

MODIFYING GROUP POLICY SETTINGS

1. Logon using the account you used for the intitial setup
2. Double-click on the Edit Group Policy shortcut
3. Enter the password for the gpedit account
4. Edit the policies as needed

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07
sep 2007 in microsoft.public.windows.terminal_services:

> Vera
> That seems to work fine but it also restricted the
> administrator. How can I get back into the server as the
> administrator and apply the policy to all users EXCEPT the
> administrator? I now don't have run nor any of the items I
> activated...which is good for the users but not for the
> administrator.
>
> "Vera Noest [MVP]" wrote:
>
>> Use gpedit.msc
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on
>> 07 sep 2007 in microsoft.public.windows.terminal_services:
>>
>> > thanks for replying. What we'd like to do is setup only
>> > Local Users (no AD users) to access this TServer and still
>> > apply desktop restrictions like: 1. limit only a specific
>> > application to launch 2. remove and disable key desktop
>> > icons like Network Places, My Computer, Internet Explorer
>> > 3. Disable the RUN command
>> > 4. Disable the wallpaper and Desktop properties from being
>> > customized 5. Not making security tab available to the users
>> > 6. Only showing and allowing Logoff....no shutdown
>> > 7. Prevent access to the command prompt
>> > 8. Prevent users from accessing Registry tools to edit the
>> > Registry
>> >
>> > I have GPMC and the server is Windows 2003 standard. I am
>> > advised that GPMC will not allow us to configure these
>> > restrictions for the User so what other options do I have?
>> >
>> > Thanks in advance
>> >
>> >
>> > "Lanwench [MVP - Exchange]" wrote:
>> >
>> >> Pearl <Pearl@discussions.microsoft.com> wrote:
>> >> > is there a way to lockdown a Terminal Server session
>> >> > desktop without using Group Policy?
>> >>
>> >> Sure, many ways. For example, if you're using a standalone
>> >> or member server you can do a lot of things with *local*
>> >> policies. But you may wish to be more specific about what
>> >> exactly you're trying to do, and why you're trying to do it
>> >> without group policy if you have it as an option....
 
Re: lockdown desktop without Group Policy

Pearl <Pearl@discussions.microsoft.com> wrote:
> forgot to mention. The SERVER is also not in AD. It is a standalone
> Server in our DMZ. I'm assured by our security team that all the
> necessary setup will be in place to allow outside remote users to
> connect to the server as local users.

If users on this server will be accessing any AD resources at all, putting
this box in a DMZ is beyond foolish.


>
> "Pearl" wrote:
>
>> thanks for replying. What we'd like to do is setup only Local
>> Users (no AD users) to access this TServer and still apply desktop
>> restrictions like:
>> 1. limit only a specific application to launch
>> 2. remove and disable key desktop icons like Network Places, My
>> Computer, Internet Explorer
>> 3. Disable the RUN command
>> 4. Disable the wallpaper and Desktop properties from being
>> customized
>> 5. Not making security tab available to the users
>> 6. Only showing and allowing Logoff....no shutdown
>> 7. Prevent access to the command prompt
>> 8. Prevent users from accessing Registry tools to edit the Registry
>>
>> I have GPMC and the server is Windows 2003 standard. I am advised
>> that GPMC will not allow us to configure these restrictions for the
>> User so what other options do I have?
>>
>> Thanks in advance
>>
>>
>> "Lanwench [MVP - Exchange]" wrote:
>>
>>> Pearl <Pearl@discussions.microsoft.com> wrote:
>>>> is there a way to lockdown a Terminal Server session desktop
>>>> without using Group Policy?
>>>
>>> Sure, many ways. For example, if you're using a standalone or
>>> member server you can do a lot of things with *local* policies. But
>>> you may wish to be more specific about what exactly you're trying
>>> to do, and why you're trying to do it without group policy if you
>>> have it as an option....
 
Re: lockdown desktop without Group Policy

Dear Vera

I have a similar issue, but on a Server 2003 R2 SP1 box which is a DC and so
I followed the instructions for GP Editor as suggested by TP. All seemed to
go well until accessing the desktop shortcut created in the last step. A
Command prompt appears requesting the gpedit password. When I attempt to type
it in, nothing appears but the Command Line disappears launching Group Policy
Editor saying access denied.

Something obviously went wrong, which could stem back to editing the
security settings for gpt.ini, which suggested changes couldn't be made as it
was read only, but it appeared to make changes all the same as all existing
security groups were removed from the list.

I can now no longer edit group policy.

Any help?

Many thanks.

Tony
--
Always hands on and keen to learn.


"Vera Noest [MVP]" wrote:

> That's one of the disadvantages of local policies, they don't allow
> security filtering.
> TP posted a way around this a while ago:
>
> From: "TP" <tperson.knowspamn@mailandnews.com>
> Subject: Re: local policy and terminal server
> Date: Wed, 8 Nov 2006 16:59:42 -0500
> Newsgroups: microsoft.public.windows.terminal_services
>
> Here are the instructions for a standalone 2003 server, which can
> be summarised with:
> 1. create a group and user (steps 1 - 4)
> 2. set permissions and ownership on three folders and a file (
> steps 5 - 23)
> 3. create a shortcut (steps 24 - 27)
>
> INITIAL SETUP
>
> This should be done before attempting any changes to
> Group Policy settings.
>
> 1. Logon as an administrator
> 2. Open up Computer Management from Administrative Tools
> 3. Create a new local group named "GP Editors"
> 4. Create a new local user named "gpedit". Assign this user
> a password, and check "password never expires". Make
> this user a member of the GP Editors group.
> 5. Open up windows explorer and browse to the following
> folder (make sure that view hidden files is enabled):
> C:\WINDOWS\system32\GroupPolicy
> 6. Right-click on the GroupPolicy folder and Properties - Security
> - Advanced
> 7. Click the Add button, enter GP Editors in the Select User or
> Group dialog, and click OK
> 8. Check Full Control under the Allow column, and click OK
> 9. Check "Replace permission entries on all child objects with
> entries shown here that apply to child objects"
> 10. Click the Apply button and confirm Yes twice.
> 11. On the Owner tab, click the Other Users and Groups button,
> enter GP Editors, and click OK.
> 12. Check "Replace owner on subcontainers and objects"
> 13. Make sure GP Editors is selected in the Change Owner to list.
> 14. Click the OK button to change the owner, click OK to close
> the GroupPolicy Properties
> 15. Within the GroupPolicy folder, right-click on the Machine
> folder, and choose Properties - Security
> 16. On the Security tab, select Administrators on the top, and
> check Full Control under the Deny column
> 17. Click OK to save the Deny permission you just made, confirm
> by answering Yes twice
> 18. Within the GroupPolicy folder, right-click on the User folder,
> and choose Properties
> 19. On the Security tab, select Administrators on the top, and
> check Full Control under the Deny column
> 20. Click OK to save the Deny permission you just made, confirm
> by answering Yes twice
> 21. Within the GroupPolicy folder, right-click on the gpt.ini file,
> and choose Properties
> 22. On the Security tab, select Administrators on the top, and
> check Full Control under the Deny column
> 23. Click OK to save the Deny permission you just made, confirm
> by answering Yes twice
> 24. Right-click on the desktop and choose New-->Shortcut
> 25. Enter the following in the location box:
> runas /user:gpedit "%windir%\system32\mmc gpedit.msc"
> 26. Click Next, and enter "Edit Group Policy" for the name
> 27. Click Finish
>
> MODIFYING GROUP POLICY SETTINGS
>
> 1. Logon using the account you used for the intitial setup
> 2. Double-click on the Edit Group Policy shortcut
> 3. Enter the password for the gpedit account
> 4. Edit the policies as needed
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07
> sep 2007 in microsoft.public.windows.terminal_services:
>
> > Vera
> > That seems to work fine but it also restricted the
> > administrator. How can I get back into the server as the
> > administrator and apply the policy to all users EXCEPT the
> > administrator? I now don't have run nor any of the items I
> > activated...which is good for the users but not for the
> > administrator.
> >
> > "Vera Noest [MVP]" wrote:
> >
> >> Use gpedit.msc
> >> _________________________________________________________
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> TS troubleshooting: http://ts.veranoest.net
> >> ___ please respond in newsgroup, NOT by private email ___
> >>
> >> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on
> >> 07 sep 2007 in microsoft.public.windows.terminal_services:
> >>
> >> > thanks for replying. What we'd like to do is setup only
> >> > Local Users (no AD users) to access this TServer and still
> >> > apply desktop restrictions like: 1. limit only a specific
> >> > application to launch 2. remove and disable key desktop
> >> > icons like Network Places, My Computer, Internet Explorer
> >> > 3. Disable the RUN command
> >> > 4. Disable the wallpaper and Desktop properties from being
> >> > customized 5. Not making security tab available to the users
> >> > 6. Only showing and allowing Logoff....no shutdown
> >> > 7. Prevent access to the command prompt
> >> > 8. Prevent users from accessing Registry tools to edit the
> >> > Registry
> >> >
> >> > I have GPMC and the server is Windows 2003 standard. I am
> >> > advised that GPMC will not allow us to configure these
> >> > restrictions for the User so what other options do I have?
> >> >
> >> > Thanks in advance
> >> >
> >> >
> >> > "Lanwench [MVP - Exchange]" wrote:
> >> >
> >> >> Pearl <Pearl@discussions.microsoft.com> wrote:
> >> >> > is there a way to lockdown a Terminal Server session
> >> >> > desktop without using Group Policy?
> >> >>
> >> >> Sure, many ways. For example, if you're using a standalone
> >> >> or member server you can do a lot of things with *local*
> >> >> policies. But you may wish to be more specific about what
> >> >> exactly you're trying to do, and why you're trying to do it
> >> >> without group policy if you have it as an option....
>
 
Re: lockdown desktop without Group Policy

First of all: a DC is *not* a standalone server!
A standalone server (i.e. a server in a workgroup) is only
subjected to it's local policy, nothing else. A DC is subject to
Group Policies in the domain.

Can you check who is the current owner of gpt.ini? Right-click
gpt.ini - properties - scecurity - advanced - owner.
And what exactly is listed in the security tab? Any accounts at all
there? With which permissions?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?VG9ua3k=?= <Tonky@discussions.microsoft.com> wrote on 26
okt 2007 in microsoft.public.windows.terminal_services:

> Dear Vera
>
> I have a similar issue, but on a Server 2003 R2 SP1 box which is
> a DC and so I followed the instructions for GP Editor as
> suggested by TP. All seemed to go well until accessing the
> desktop shortcut created in the last step. A Command prompt
> appears requesting the gpedit password. When I attempt to type
> it in, nothing appears but the Command Line disappears launching
> Group Policy Editor saying access denied.
>
> Something obviously went wrong, which could stem back to editing
> the security settings for gpt.ini, which suggested changes
> couldn't be made as it was read only, but it appeared to make
> changes all the same as all existing security groups were
> removed from the list.
>
> I can now no longer edit group policy.
>
> Any help?
>
> Many thanks.
>
> Tony
 
Re: lockdown desktop without Group Policy

Hi Tony,

The instructions are *not* meant for use on a DC.

Please reset the permissions on the GroupPolicy folder to
default using the following instructions:

1. Logon to the DC as an administrator

2. Open up windows explorer and browse to the following
folder (make sure that view hidden files is enabled):

C:\WINDOWS\system32\GroupPolicy

3. Right-click on the GroupPolicy folder and choose Properties
- Security tab - Advanced button - Owner tab

4. Select Administrators for the owner and check "Replace
owner on subcontainers and objects", click OK and Yes

5. Close the GroupPolicy folder Properties window

6. Right-click on the GroupPolicy folder and choose Properties
- Security tab - Advanced button - Permissions tab

7. Use the Add & Remove buttons as needed until you have
*only* the following Permissions entries in the list:

Allow Authenticated Users Read & Execute <not inherited> This folder, subfolders and files
Allow Server Operators Read & Execute <not inherited> This folder, subfolders and files
Allow Administrators Full Control <not inherited> This folder, subfolders and files
Allow CREATOR OWNER Full Control <not inherited> Subfolders and files only
Allow SYSTEM Full Control <not inherited> This folder, subfolders and files

Note: Read & Execute consists of the following individual
permissions, check all of them when adding the entry:

Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Read Permissions

8. Check "Replace permission entries on all child objects with
entries shown here that apply to child objects"

9. Click OK and then Yes to confirm

Thanks.

-TP

Tonky wrote:
> Dear Vera
>
> I have a similar issue, but on a Server 2003 R2 SP1 box which is a DC
> and so I followed the instructions for GP Editor as suggested by TP.
> All seemed to go well until accessing the desktop shortcut created in
> the last step. A Command prompt appears requesting the gpedit
> password. When I attempt to type it in, nothing appears but the
> Command Line disappears launching Group Policy Editor saying access
> denied.
>
> Something obviously went wrong, which could stem back to editing the
> security settings for gpt.ini, which suggested changes couldn't be
> made as it was read only, but it appeared to make changes all the
> same as all existing security groups were removed from the list.
>
> I can now no longer edit group policy.
>
> Any help?
>
> Many thanks.
>
> Tony
 
Re: lockdown desktop without Group Policy

Thanks for the reply Vera. Made a bit of a mess there!

The Owner is: Unable to display current owner.
In the Change Owner to: Administrator is listed

There are no Users or Groups listed under the Security tab.

BTW: the procedure did succeed in locking down the Shut Down button for all
standard Remote Desktop User accounts as hoped, only I can now no longer
effect any other changes. I will revert changes as suggested by TP in the
next thread, but I still need to figure out how to lock it down, including
certain Apps, Server browsing, web browsing, etc.

Further help is appreciated.

Kind rgards

Tony
--
Always hands on and keen to learn.


"Vera Noest [MVP]" wrote:

> First of all: a DC is *not* a standalone server!
> A standalone server (i.e. a server in a workgroup) is only
> subjected to it's local policy, nothing else. A DC is subject to
> Group Policies in the domain.
>
> Can you check who is the current owner of gpt.ini? Right-click
> gpt.ini - properties - scecurity - advanced - owner.
> And what exactly is listed in the security tab? Any accounts at all
> there? With which permissions?
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?VG9ua3k=?= <Tonky@discussions.microsoft.com> wrote on 26
> okt 2007 in microsoft.public.windows.terminal_services:
>
> > Dear Vera
> >
> > I have a similar issue, but on a Server 2003 R2 SP1 box which is
> > a DC and so I followed the instructions for GP Editor as
> > suggested by TP. All seemed to go well until accessing the
> > desktop shortcut created in the last step. A Command prompt
> > appears requesting the gpedit password. When I attempt to type
> > it in, nothing appears but the Command Line disappears launching
> > Group Policy Editor saying access denied.
> >
> > Something obviously went wrong, which could stem back to editing
> > the security settings for gpt.ini, which suggested changes
> > couldn't be made as it was read only, but it appeared to make
> > changes all the same as all existing security groups were
> > removed from the list.
> >
> > I can now no longer edit group policy.
> >
> > Any help?
> >
> > Many thanks.
> >
> > Tony
>
 
Re: lockdown desktop without Group Policy

Dear TP

I kind of moosed that up a bit so thanks for the "Get out of jail card".
Once I revert the settings, I will still need to lock the Server down in
terms of what the TS users are able to access. Some will be running different
apps from each other but none will be permitted to gain access to the file
structure on the Server.

I would apprecaite further help bearing in mind it is a DC.

Many thanks

Tony
--
Always hands on and keen to learn.


"TP" wrote:

> Hi Tony,
>
> The instructions are *not* meant for use on a DC.
>
> Please reset the permissions on the GroupPolicy folder to
> default using the following instructions:
>
> 1. Logon to the DC as an administrator
>
> 2. Open up windows explorer and browse to the following
> folder (make sure that view hidden files is enabled):
>
> C:\WINDOWS\system32\GroupPolicy
>
> 3. Right-click on the GroupPolicy folder and choose Properties
> - Security tab - Advanced button - Owner tab
>
> 4. Select Administrators for the owner and check "Replace
> owner on subcontainers and objects", click OK and Yes
>
> 5. Close the GroupPolicy folder Properties window
>
> 6. Right-click on the GroupPolicy folder and choose Properties
> - Security tab - Advanced button - Permissions tab
>
> 7. Use the Add & Remove buttons as needed until you have
> *only* the following Permissions entries in the list:
>
> Allow Authenticated Users Read & Execute <not inherited> This folder, subfolders and files
> Allow Server Operators Read & Execute <not inherited> This folder, subfolders and files
> Allow Administrators Full Control <not inherited> This folder, subfolders and files
> Allow CREATOR OWNER Full Control <not inherited> Subfolders and files only
> Allow SYSTEM Full Control <not inherited> This folder, subfolders and files
>
> Note: Read & Execute consists of the following individual
> permissions, check all of them when adding the entry:
>
> Traverse Folder / Execute File
> List Folder / Read Data
> Read Attributes
> Read Extended Attributes
> Read Permissions
>
> 8. Check "Replace permission entries on all child objects with
> entries shown here that apply to child objects"
>
> 9. Click OK and then Yes to confirm
>
> Thanks.
>
> -TP
>
> Tonky wrote:
> > Dear Vera
> >
> > I have a similar issue, but on a Server 2003 R2 SP1 box which is a DC
> > and so I followed the instructions for GP Editor as suggested by TP.
> > All seemed to go well until accessing the desktop shortcut created in
> > the last step. A Command prompt appears requesting the gpedit
> > password. When I attempt to type it in, nothing appears but the
> > Command Line disappears launching Group Policy Editor saying access
> > denied.
> >
> > Something obviously went wrong, which could stem back to editing the
> > security settings for gpt.ini, which suggested changes couldn't be
> > made as it was read only, but it appeared to make changes all the
> > same as all existing security groups were removed from the list.
> >
> > I can now no longer edit group policy.
> >
> > Any help?
> >
> > Many thanks.
> >
> > Tony
>
 
Re: lockdown desktop without Group Policy

I may have done more damage than at first thought!

I followed TP's repair procedure to revert settings, and have just tried to
edit Group Policy with the admin account, but all options are greyed out.

Please help. We have just added a new user to the Domain and although that
went okay, they cannot access file shares. I went to look at gpedit.msc and
noticed the greyed out problem.

Please help.

Thanks
--
Always hands on and keen to learn.


"Tonky" wrote:

> Dear TP
>
> I kind of moosed that up a bit so thanks for the "Get out of jail card".
> Once I revert the settings, I will still need to lock the Server down in
> terms of what the TS users are able to access. Some will be running different
> apps from each other but none will be permitted to gain access to the file
> structure on the Server.
>
> I would apprecaite further help bearing in mind it is a DC.
>
> Many thanks
>
> Tony
> --
> Always hands on and keen to learn.
>
>
> "TP" wrote:
>
> > Hi Tony,
> >
> > The instructions are *not* meant for use on a DC.
> >
> > Please reset the permissions on the GroupPolicy folder to
> > default using the following instructions:
> >
> > 1. Logon to the DC as an administrator
> >
> > 2. Open up windows explorer and browse to the following
> > folder (make sure that view hidden files is enabled):
> >
> > C:\WINDOWS\system32\GroupPolicy
> >
> > 3. Right-click on the GroupPolicy folder and choose Properties
> > - Security tab - Advanced button - Owner tab
> >
> > 4. Select Administrators for the owner and check "Replace
> > owner on subcontainers and objects", click OK and Yes
> >
> > 5. Close the GroupPolicy folder Properties window
> >
> > 6. Right-click on the GroupPolicy folder and choose Properties
> > - Security tab - Advanced button - Permissions tab
> >
> > 7. Use the Add & Remove buttons as needed until you have
> > *only* the following Permissions entries in the list:
> >
> > Allow Authenticated Users Read & Execute <not inherited> This folder, subfolders and files
> > Allow Server Operators Read & Execute <not inherited> This folder, subfolders and files
> > Allow Administrators Full Control <not inherited> This folder, subfolders and files
> > Allow CREATOR OWNER Full Control <not inherited> Subfolders and files only
> > Allow SYSTEM Full Control <not inherited> This folder, subfolders and files
> >
> > Note: Read & Execute consists of the following individual
> > permissions, check all of them when adding the entry:
> >
> > Traverse Folder / Execute File
> > List Folder / Read Data
> > Read Attributes
> > Read Extended Attributes
> > Read Permissions
> >
> > 8. Check "Replace permission entries on all child objects with
> > entries shown here that apply to child objects"
> >
> > 9. Click OK and then Yes to confirm
> >
> > Thanks.
> >
> > -TP
> >
> > Tonky wrote:
> > > Dear Vera
> > >
> > > I have a similar issue, but on a Server 2003 R2 SP1 box which is a DC
> > > and so I followed the instructions for GP Editor as suggested by TP.
> > > All seemed to go well until accessing the desktop shortcut created in
> > > the last step. A Command prompt appears requesting the gpedit
> > > password. When I attempt to type it in, nothing appears but the
> > > Command Line disappears launching Group Policy Editor saying access
> > > denied.
> > >
> > > Something obviously went wrong, which could stem back to editing the
> > > security settings for gpt.ini, which suggested changes couldn't be
> > > made as it was read only, but it appeared to make changes all the
> > > same as all existing security groups were removed from the list.
> > >
> > > I can now no longer edit group policy.
> > >
> > > Any help?
> > >
> > > Many thanks.
> > >
> > > Tony
> >
 
Re: lockdown desktop without Group Policy

I think that your best option at this point is to call Microsoft
Support. Since it's not clear what went wrong, it's nearly
impossible to fix it with advice from a newsgroup, and you'll only
risk to make the damage even bigger.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

=?Utf-8?B?VG9ua3k=?= <Tonky@discussions.microsoft.com> wrote on 17
dec 2007:

> I may have done more damage than at first thought!
>
> I followed TP's repair procedure to revert settings, and have
> just tried to edit Group Policy with the admin account, but all
> options are greyed out.
>
> Please help. We have just added a new user to the Domain and
> although that went okay, they cannot access file shares. I went
> to look at gpedit.msc and noticed the greyed out problem.
>
> Please help.
>
> Thanks
 
Back
Top