Jump to content

lockdown desktop without Group Policy

Guest Pearl

By Guest Pearl
in Windows NT Server

 Share

Recommended Posts

Guest Pearl

Guest Pearl

Posted
Posted

is there a way to lockdown a Terminal Server session desktop without using

Group Policy?

  • Replies 19
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: lockdown desktop without Group Policy

 

You can use the local policy on the server, as well as NTFS

permissions on the file system.

Folder redirection is not possible, though.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07

sep 2007 in microsoft.public.windows.terminal_services:

> is there a way to lockdown a Terminal Server session desktop

> without using Group Policy?

Guest Pearl

Guest Pearl

Posted
Posted

Re: lockdown desktop without Group Policy

 

thanks Vera

I looked at the local policy on the server and it does not appear to have

the ability to do such things as remove icons or deactivate them from the TS

user or only execute a single application from the TS session. Am I correct?

 

"Vera Noest [MVP]" wrote:

> You can use the local policy on the server, as well as NTFS

> permissions on the file system.

> Folder redirection is not possible, though.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07

> sep 2007 in microsoft.public.windows.terminal_services:

>

> > is there a way to lockdown a Terminal Server session desktop

> > without using Group Policy?

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: lockdown desktop without Group Policy

 

Which icons? You can manually remove all shortcuts which are not

wanted from the Default User profile and Start menu. You can not

redirect the desktop to a custom desktop, because Folder

redirection is not supported with a local policy.

You should be able to define a starting application, but you can

also do that in the Terminal Services Configuration tool.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07

sep 2007 in microsoft.public.windows.terminal_services:

> thanks Vera

> I looked at the local policy on the server and it does not

> appear to have the ability to do such things as remove icons or

> deactivate them from the TS user or only execute a single

> application from the TS session. Am I correct?

>

> "Vera Noest [MVP]" wrote:

>

>> You can use the local policy on the server, as well as NTFS

>> permissions on the file system.

>> Folder redirection is not possible, though.

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on

>> 07 sep 2007 in microsoft.public.windows.terminal_services:

>>

>> > is there a way to lockdown a Terminal Server session desktop

>> > without using Group Policy?

Guest Pearl

Guest Pearl

Posted
Posted

Re: lockdown desktop without Group Policy

 

Actually, our security group is directing this requirement for us. They not

only want the icon removed but deactivated so that the user can not launch it

at all. The icons that they are concerned about are : Network Places, My

computer, Internet Explorer, RUN, ...just about anything that will allow the

user to customize the desktop and anything that is connected to or can be

connected to the network. They would like to lock the desktop down to just

the ability to launch a single application and have that icon on the desktop

ALONE...no wallpaper, also. Strong paranoia.

 

"Vera Noest [MVP]" wrote:

> Which icons? You can manually remove all shortcuts which are not

> wanted from the Default User profile and Start menu. You can not

> redirect the desktop to a custom desktop, because Folder

> redirection is not supported with a local policy.

> You should be able to define a starting application, but you can

> also do that in the Terminal Services Configuration tool.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07

> sep 2007 in microsoft.public.windows.terminal_services:

>

> > thanks Vera

> > I looked at the local policy on the server and it does not

> > appear to have the ability to do such things as remove icons or

> > deactivate them from the TS user or only execute a single

> > application from the TS session. Am I correct?

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> You can use the local policy on the server, as well as NTFS

> >> permissions on the file system.

> >> Folder redirection is not possible, though.

> >>

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on

> >> 07 sep 2007 in microsoft.public.windows.terminal_services:

> >>

> >> > is there a way to lockdown a Terminal Server session desktop

> >> > without using Group Policy?

>

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: lockdown desktop without Group Policy

 

Pearl <Pearl@discussions.microsoft.com> wrote:

> is there a way to lockdown a Terminal Server session desktop without

> using Group Policy?

 

Sure, many ways. For example, if you're using a standalone or member server

you can do a lot of things with *local* policies. But you may wish to be

more specific about what exactly you're trying to do, and why you're trying

to do it without group policy if you have it as an option....

Guest Pearl

Guest Pearl

Posted
Posted

Re: lockdown desktop without Group Policy

 

thanks for replying. What we'd like to do is setup only Local Users (no AD

users) to access this TServer and still apply desktop restrictions like:

1. limit only a specific application to launch

2. remove and disable key desktop icons like Network Places, My Computer,

Internet Explorer

3. Disable the RUN command

4. Disable the wallpaper and Desktop properties from being customized

5. Not making security tab available to the users

6. Only showing and allowing Logoff....no shutdown

7. Prevent access to the command prompt

8. Prevent users from accessing Registry tools to edit the Registry

 

I have GPMC and the server is Windows 2003 standard. I am advised that GPMC

will not allow us to configure these restrictions for the User so what other

options do I have?

 

Thanks in advance

 

 

"Lanwench [MVP - Exchange]" wrote:

> Pearl <Pearl@discussions.microsoft.com> wrote:

> > is there a way to lockdown a Terminal Server session desktop without

> > using Group Policy?

>

> Sure, many ways. For example, if you're using a standalone or member server

> you can do a lot of things with *local* policies. But you may wish to be

> more specific about what exactly you're trying to do, and why you're trying

> to do it without group policy if you have it as an option....

>

>

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: lockdown desktop without Group Policy

 

You should be able to do most of that with a local policy. Run

gpedit.msc to edit the local policy.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07

sep 2007 in microsoft.public.windows.terminal_services:

> Actually, our security group is directing this requirement for

> us. They not only want the icon removed but deactivated so that

> the user can not launch it at all. The icons that they are

> concerned about are : Network Places, My computer, Internet

> Explorer, RUN, ...just about anything that will allow the user

> to customize the desktop and anything that is connected to or

> can be connected to the network. They would like to lock the

> desktop down to just the ability to launch a single application

> and have that icon on the desktop ALONE...no wallpaper, also.

> Strong paranoia.

>

> "Vera Noest [MVP]" wrote:

>

>> Which icons? You can manually remove all shortcuts which are

>> not wanted from the Default User profile and Start menu. You

>> can not redirect the desktop to a custom desktop, because

>> Folder redirection is not supported with a local policy.

>> You should be able to define a starting application, but you

>> can also do that in the Terminal Services Configuration tool.

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on

>> 07 sep 2007 in microsoft.public.windows.terminal_services:

>>

>> > thanks Vera

>> > I looked at the local policy on the server and it does not

>> > appear to have the ability to do such things as remove icons

>> > or deactivate them from the TS user or only execute a single

>> > application from the TS session. Am I correct?

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> You can use the local policy on the server, as well as NTFS

>> >> permissions on the file system.

>> >> Folder redirection is not possible, though.

>> >>

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote

>> >> on 07 sep 2007 in

>> >> microsoft.public.windows.terminal_services:

>> >>

>> >> > is there a way to lockdown a Terminal Server session

>> >> > desktop without using Group Policy?

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: lockdown desktop without Group Policy

 

Use gpedit.msc

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07

sep 2007 in microsoft.public.windows.terminal_services:

> thanks for replying. What we'd like to do is setup only Local

> Users (no AD users) to access this TServer and still apply

> desktop restrictions like: 1. limit only a specific

> application to launch 2. remove and disable key desktop icons

> like Network Places, My Computer, Internet Explorer

> 3. Disable the RUN command

> 4. Disable the wallpaper and Desktop properties from being

> customized 5. Not making security tab available to the users

> 6. Only showing and allowing Logoff....no shutdown

> 7. Prevent access to the command prompt

> 8. Prevent users from accessing Registry tools to edit the

> Registry

>

> I have GPMC and the server is Windows 2003 standard. I am

> advised that GPMC will not allow us to configure these

> restrictions for the User so what other options do I have?

>

> Thanks in advance

>

>

> "Lanwench [MVP - Exchange]" wrote:

>

>> Pearl <Pearl@discussions.microsoft.com> wrote:

>> > is there a way to lockdown a Terminal Server session desktop

>> > without using Group Policy?

>>

>> Sure, many ways. For example, if you're using a standalone or

>> member server you can do a lot of things with *local* policies.

>> But you may wish to be more specific about what exactly you're

>> trying to do, and why you're trying to do it without group

>> policy if you have it as an option....

Guest Pearl

Guest Pearl

Posted
Posted

Re: lockdown desktop without Group Policy

 

forgot to mention. The SERVER is also not in AD. It is a standalone Server

in our DMZ. I'm assured by our security team that all the necessary setup

will be in place to allow outside remote users to connect to the server as

local users.

 

"Pearl" wrote:

> thanks for replying. What we'd like to do is setup only Local Users (no AD

> users) to access this TServer and still apply desktop restrictions like:

> 1. limit only a specific application to launch

> 2. remove and disable key desktop icons like Network Places, My Computer,

> Internet Explorer

> 3. Disable the RUN command

> 4. Disable the wallpaper and Desktop properties from being customized

> 5. Not making security tab available to the users

> 6. Only showing and allowing Logoff....no shutdown

> 7. Prevent access to the command prompt

> 8. Prevent users from accessing Registry tools to edit the Registry

>

> I have GPMC and the server is Windows 2003 standard. I am advised that GPMC

> will not allow us to configure these restrictions for the User so what other

> options do I have?

>

> Thanks in advance

>

>

> "Lanwench [MVP - Exchange]" wrote:

>

> > Pearl <Pearl@discussions.microsoft.com> wrote:

> > > is there a way to lockdown a Terminal Server session desktop without

> > > using Group Policy?

> >

> > Sure, many ways. For example, if you're using a standalone or member server

> > you can do a lot of things with *local* policies. But you may wish to be

> > more specific about what exactly you're trying to do, and why you're trying

> > to do it without group policy if you have it as an option....

> >

> >

> >

Guest Pearl

Guest Pearl

Posted
Posted

Re: lockdown desktop without Group Policy

 

Vera

That seems to work fine but it also restricted the administrator. How can I

get back into the server as the administrator and apply the policy to all

users EXCEPT the administrator? I now don't have run nor any of the items I

activated...which is good for the users but not for the administrator.

 

"Vera Noest [MVP]" wrote:

> Use gpedit.msc

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07

> sep 2007 in microsoft.public.windows.terminal_services:

>

> > thanks for replying. What we'd like to do is setup only Local

> > Users (no AD users) to access this TServer and still apply

> > desktop restrictions like: 1. limit only a specific

> > application to launch 2. remove and disable key desktop icons

> > like Network Places, My Computer, Internet Explorer

> > 3. Disable the RUN command

> > 4. Disable the wallpaper and Desktop properties from being

> > customized 5. Not making security tab available to the users

> > 6. Only showing and allowing Logoff....no shutdown

> > 7. Prevent access to the command prompt

> > 8. Prevent users from accessing Registry tools to edit the

> > Registry

> >

> > I have GPMC and the server is Windows 2003 standard. I am

> > advised that GPMC will not allow us to configure these

> > restrictions for the User so what other options do I have?

> >

> > Thanks in advance

> >

> >

> > "Lanwench [MVP - Exchange]" wrote:

> >

> >> Pearl <Pearl@discussions.microsoft.com> wrote:

> >> > is there a way to lockdown a Terminal Server session desktop

> >> > without using Group Policy?

> >>

> >> Sure, many ways. For example, if you're using a standalone or

> >> member server you can do a lot of things with *local* policies.

> >> But you may wish to be more specific about what exactly you're

> >> trying to do, and why you're trying to do it without group

> >> policy if you have it as an option....

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: lockdown desktop without Group Policy

 

That's one of the disadvantages of local policies, they don't allow

security filtering.

TP posted a way around this a while ago:

 

From: "TP" <tperson.knowspamn@mailandnews.com>

Subject: Re: local policy and terminal server

Date: Wed, 8 Nov 2006 16:59:42 -0500

Newsgroups: microsoft.public.windows.terminal_services

 

Here are the instructions for a standalone 2003 server, which can

be summarised with:

1. create a group and user (steps 1 - 4)

2. set permissions and ownership on three folders and a file (

steps 5 - 23)

3. create a shortcut (steps 24 - 27)

 

INITIAL SETUP

 

This should be done before attempting any changes to

Group Policy settings.

 

1. Logon as an administrator

2. Open up Computer Management from Administrative Tools

3. Create a new local group named "GP Editors"

4. Create a new local user named "gpedit". Assign this user

a password, and check "password never expires". Make

this user a member of the GP Editors group.

5. Open up windows explorer and browse to the following

folder (make sure that view hidden files is enabled):

C:\WINDOWS\system32\GroupPolicy

6. Right-click on the GroupPolicy folder and Properties - Security

- Advanced

7. Click the Add button, enter GP Editors in the Select User or

Group dialog, and click OK

8. Check Full Control under the Allow column, and click OK

9. Check "Replace permission entries on all child objects with

entries shown here that apply to child objects"

10. Click the Apply button and confirm Yes twice.

11. On the Owner tab, click the Other Users and Groups button,

enter GP Editors, and click OK.

12. Check "Replace owner on subcontainers and objects"

13. Make sure GP Editors is selected in the Change Owner to list.

14. Click the OK button to change the owner, click OK to close

the GroupPolicy Properties

15. Within the GroupPolicy folder, right-click on the Machine

folder, and choose Properties - Security

16. On the Security tab, select Administrators on the top, and

check Full Control under the Deny column

17. Click OK to save the Deny permission you just made, confirm

by answering Yes twice

18. Within the GroupPolicy folder, right-click on the User folder,

and choose Properties

19. On the Security tab, select Administrators on the top, and

check Full Control under the Deny column

20. Click OK to save the Deny permission you just made, confirm

by answering Yes twice

21. Within the GroupPolicy folder, right-click on the gpt.ini file,

and choose Properties

22. On the Security tab, select Administrators on the top, and

check Full Control under the Deny column

23. Click OK to save the Deny permission you just made, confirm

by answering Yes twice

24. Right-click on the desktop and choose New-->Shortcut

25. Enter the following in the location box:

runas /user:gpedit "%windir%\system32\mmc gpedit.msc"

26. Click Next, and enter "Edit Group Policy" for the name

27. Click Finish

 

MODIFYING GROUP POLICY SETTINGS

 

1. Logon using the account you used for the intitial setup

2. Double-click on the Edit Group Policy shortcut

3. Enter the password for the gpedit account

4. Edit the policies as needed

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07

sep 2007 in microsoft.public.windows.terminal_services:

> Vera

> That seems to work fine but it also restricted the

> administrator. How can I get back into the server as the

> administrator and apply the policy to all users EXCEPT the

> administrator? I now don't have run nor any of the items I

> activated...which is good for the users but not for the

> administrator.

>

> "Vera Noest [MVP]" wrote:

>

>> Use gpedit.msc

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on

>> 07 sep 2007 in microsoft.public.windows.terminal_services:

>>

>> > thanks for replying. What we'd like to do is setup only

>> > Local Users (no AD users) to access this TServer and still

>> > apply desktop restrictions like: 1. limit only a specific

>> > application to launch 2. remove and disable key desktop

>> > icons like Network Places, My Computer, Internet Explorer

>> > 3. Disable the RUN command

>> > 4. Disable the wallpaper and Desktop properties from being

>> > customized 5. Not making security tab available to the users

>> > 6. Only showing and allowing Logoff....no shutdown

>> > 7. Prevent access to the command prompt

>> > 8. Prevent users from accessing Registry tools to edit the

>> > Registry

>> >

>> > I have GPMC and the server is Windows 2003 standard. I am

>> > advised that GPMC will not allow us to configure these

>> > restrictions for the User so what other options do I have?

>> >

>> > Thanks in advance

>> >

>> >

>> > "Lanwench [MVP - Exchange]" wrote:

>> >

>> >> Pearl <Pearl@discussions.microsoft.com> wrote:

>> >> > is there a way to lockdown a Terminal Server session

>> >> > desktop without using Group Policy?

>> >>

>> >> Sure, many ways. For example, if you're using a standalone

>> >> or member server you can do a lot of things with *local*

>> >> policies. But you may wish to be more specific about what

>> >> exactly you're trying to do, and why you're trying to do it

>> >> without group policy if you have it as an option....

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: lockdown desktop without Group Policy

 

Pearl <Pearl@discussions.microsoft.com> wrote:

> forgot to mention. The SERVER is also not in AD. It is a standalone

> Server in our DMZ. I'm assured by our security team that all the

> necessary setup will be in place to allow outside remote users to

> connect to the server as local users.

 

If users on this server will be accessing any AD resources at all, putting

this box in a DMZ is beyond foolish.

 

>

> "Pearl" wrote:

>

>> thanks for replying. What we'd like to do is setup only Local

>> Users (no AD users) to access this TServer and still apply desktop

>> restrictions like:

>> 1. limit only a specific application to launch

>> 2. remove and disable key desktop icons like Network Places, My

>> Computer, Internet Explorer

>> 3. Disable the RUN command

>> 4. Disable the wallpaper and Desktop properties from being

>> customized

>> 5. Not making security tab available to the users

>> 6. Only showing and allowing Logoff....no shutdown

>> 7. Prevent access to the command prompt

>> 8. Prevent users from accessing Registry tools to edit the Registry

>>

>> I have GPMC and the server is Windows 2003 standard. I am advised

>> that GPMC will not allow us to configure these restrictions for the

>> User so what other options do I have?

>>

>> Thanks in advance

>>

>>

>> "Lanwench [MVP - Exchange]" wrote:

>>

>>> Pearl <Pearl@discussions.microsoft.com> wrote:

>>>> is there a way to lockdown a Terminal Server session desktop

>>>> without using Group Policy?

>>>

>>> Sure, many ways. For example, if you're using a standalone or

>>> member server you can do a lot of things with *local* policies. But

>>> you may wish to be more specific about what exactly you're trying

>>> to do, and why you're trying to do it without group policy if you

>>> have it as an option....

  • 1 month later...
Guest Tonky

Guest Tonky

Posted
Posted

Re: lockdown desktop without Group Policy

 

Dear Vera

 

I have a similar issue, but on a Server 2003 R2 SP1 box which is a DC and so

I followed the instructions for GP Editor as suggested by TP. All seemed to

go well until accessing the desktop shortcut created in the last step. A

Command prompt appears requesting the gpedit password. When I attempt to type

it in, nothing appears but the Command Line disappears launching Group Policy

Editor saying access denied.

 

Something obviously went wrong, which could stem back to editing the

security settings for gpt.ini, which suggested changes couldn't be made as it

was read only, but it appeared to make changes all the same as all existing

security groups were removed from the list.

 

I can now no longer edit group policy.

 

Any help?

 

Many thanks.

 

Tony

--

Always hands on and keen to learn.

 

 

"Vera Noest [MVP]" wrote:

> That's one of the disadvantages of local policies, they don't allow

> security filtering.

> TP posted a way around this a while ago:

>

> From: "TP" <tperson.knowspamn@mailandnews.com>

> Subject: Re: local policy and terminal server

> Date: Wed, 8 Nov 2006 16:59:42 -0500

> Newsgroups: microsoft.public.windows.terminal_services

>

> Here are the instructions for a standalone 2003 server, which can

> be summarised with:

> 1. create a group and user (steps 1 - 4)

> 2. set permissions and ownership on three folders and a file (

> steps 5 - 23)

> 3. create a shortcut (steps 24 - 27)

>

> INITIAL SETUP

>

> This should be done before attempting any changes to

> Group Policy settings.

>

> 1. Logon as an administrator

> 2. Open up Computer Management from Administrative Tools

> 3. Create a new local group named "GP Editors"

> 4. Create a new local user named "gpedit". Assign this user

> a password, and check "password never expires". Make

> this user a member of the GP Editors group.

> 5. Open up windows explorer and browse to the following

> folder (make sure that view hidden files is enabled):

> C:\WINDOWS\system32\GroupPolicy

> 6. Right-click on the GroupPolicy folder and Properties - Security

> - Advanced

> 7. Click the Add button, enter GP Editors in the Select User or

> Group dialog, and click OK

> 8. Check Full Control under the Allow column, and click OK

> 9. Check "Replace permission entries on all child objects with

> entries shown here that apply to child objects"

> 10. Click the Apply button and confirm Yes twice.

> 11. On the Owner tab, click the Other Users and Groups button,

> enter GP Editors, and click OK.

> 12. Check "Replace owner on subcontainers and objects"

> 13. Make sure GP Editors is selected in the Change Owner to list.

> 14. Click the OK button to change the owner, click OK to close

> the GroupPolicy Properties

> 15. Within the GroupPolicy folder, right-click on the Machine

> folder, and choose Properties - Security

> 16. On the Security tab, select Administrators on the top, and

> check Full Control under the Deny column

> 17. Click OK to save the Deny permission you just made, confirm

> by answering Yes twice

> 18. Within the GroupPolicy folder, right-click on the User folder,

> and choose Properties

> 19. On the Security tab, select Administrators on the top, and

> check Full Control under the Deny column

> 20. Click OK to save the Deny permission you just made, confirm

> by answering Yes twice

> 21. Within the GroupPolicy folder, right-click on the gpt.ini file,

> and choose Properties

> 22. On the Security tab, select Administrators on the top, and

> check Full Control under the Deny column

> 23. Click OK to save the Deny permission you just made, confirm

> by answering Yes twice

> 24. Right-click on the desktop and choose New-->Shortcut

> 25. Enter the following in the location box:

> runas /user:gpedit "%windir%\system32\mmc gpedit.msc"

> 26. Click Next, and enter "Edit Group Policy" for the name

> 27. Click Finish

>

> MODIFYING GROUP POLICY SETTINGS

>

> 1. Logon using the account you used for the intitial setup

> 2. Double-click on the Edit Group Policy shortcut

> 3. Enter the password for the gpedit account

> 4. Edit the policies as needed

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on 07

> sep 2007 in microsoft.public.windows.terminal_services:

>

> > Vera

> > That seems to work fine but it also restricted the

> > administrator. How can I get back into the server as the

> > administrator and apply the policy to all users EXCEPT the

> > administrator? I now don't have run nor any of the items I

> > activated...which is good for the users but not for the

> > administrator.

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> Use gpedit.msc

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?UGVhcmw=?= <Pearl@discussions.microsoft.com> wrote on

> >> 07 sep 2007 in microsoft.public.windows.terminal_services:

> >>

> >> > thanks for replying. What we'd like to do is setup only

> >> > Local Users (no AD users) to access this TServer and still

> >> > apply desktop restrictions like: 1. limit only a specific

> >> > application to launch 2. remove and disable key desktop

> >> > icons like Network Places, My Computer, Internet Explorer

> >> > 3. Disable the RUN command

> >> > 4. Disable the wallpaper and Desktop properties from being

> >> > customized 5. Not making security tab available to the users

> >> > 6. Only showing and allowing Logoff....no shutdown

> >> > 7. Prevent access to the command prompt

> >> > 8. Prevent users from accessing Registry tools to edit the

> >> > Registry

> >> >

> >> > I have GPMC and the server is Windows 2003 standard. I am

> >> > advised that GPMC will not allow us to configure these

> >> > restrictions for the User so what other options do I have?

> >> >

> >> > Thanks in advance

> >> >

> >> >

> >> > "Lanwench [MVP - Exchange]" wrote:

> >> >

> >> >> Pearl <Pearl@discussions.microsoft.com> wrote:

> >> >> > is there a way to lockdown a Terminal Server session

> >> >> > desktop without using Group Policy?

> >> >>

> >> >> Sure, many ways. For example, if you're using a standalone

> >> >> or member server you can do a lot of things with *local*

> >> >> policies. But you may wish to be more specific about what

> >> >> exactly you're trying to do, and why you're trying to do it

> >> >> without group policy if you have it as an option....

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: lockdown desktop without Group Policy

 

First of all: a DC is *not* a standalone server!

A standalone server (i.e. a server in a workgroup) is only

subjected to it's local policy, nothing else. A DC is subject to

Group Policies in the domain.

 

Can you check who is the current owner of gpt.ini? Right-click

gpt.ini - properties - scecurity - advanced - owner.

And what exactly is listed in the security tab? Any accounts at all

there? With which permissions?

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?VG9ua3k=?= <Tonky@discussions.microsoft.com> wrote on 26

okt 2007 in microsoft.public.windows.terminal_services:

> Dear Vera

>

> I have a similar issue, but on a Server 2003 R2 SP1 box which is

> a DC and so I followed the instructions for GP Editor as

> suggested by TP. All seemed to go well until accessing the

> desktop shortcut created in the last step. A Command prompt

> appears requesting the gpedit password. When I attempt to type

> it in, nothing appears but the Command Line disappears launching

> Group Policy Editor saying access denied.

>

> Something obviously went wrong, which could stem back to editing

> the security settings for gpt.ini, which suggested changes

> couldn't be made as it was read only, but it appeared to make

> changes all the same as all existing security groups were

> removed from the list.

>

> I can now no longer edit group policy.

>

> Any help?

>

> Many thanks.

>

> Tony

Guest TP

Guest TP

Posted
Posted

Re: lockdown desktop without Group Policy

 

Hi Tony,

 

The instructions are *not* meant for use on a DC.

 

Please reset the permissions on the GroupPolicy folder to

default using the following instructions:

 

1. Logon to the DC as an administrator

 

2. Open up windows explorer and browse to the following

folder (make sure that view hidden files is enabled):

 

C:\WINDOWS\system32\GroupPolicy

 

3. Right-click on the GroupPolicy folder and choose Properties

- Security tab - Advanced button - Owner tab

 

4. Select Administrators for the owner and check "Replace

owner on subcontainers and objects", click OK and Yes

 

5. Close the GroupPolicy folder Properties window

 

6. Right-click on the GroupPolicy folder and choose Properties

- Security tab - Advanced button - Permissions tab

 

7. Use the Add & Remove buttons as needed until you have

*only* the following Permissions entries in the list:

 

Allow Authenticated Users Read & Execute <not inherited> This folder, subfolders and files

Allow Server Operators Read & Execute <not inherited> This folder, subfolders and files

Allow Administrators Full Control <not inherited> This folder, subfolders and files

Allow CREATOR OWNER Full Control <not inherited> Subfolders and files only

Allow SYSTEM Full Control <not inherited> This folder, subfolders and files

 

Note: Read & Execute consists of the following individual

permissions, check all of them when adding the entry:

 

Traverse Folder / Execute File

List Folder / Read Data

Read Attributes

Read Extended Attributes

Read Permissions

 

8. Check "Replace permission entries on all child objects with

entries shown here that apply to child objects"

 

9. Click OK and then Yes to confirm

 

Thanks.

 

-TP

 

Tonky wrote:

> Dear Vera

>

> I have a similar issue, but on a Server 2003 R2 SP1 box which is a DC

> and so I followed the instructions for GP Editor as suggested by TP.

> All seemed to go well until accessing the desktop shortcut created in

> the last step. A Command prompt appears requesting the gpedit

> password. When I attempt to type it in, nothing appears but the

> Command Line disappears launching Group Policy Editor saying access

> denied.

>

> Something obviously went wrong, which could stem back to editing the

> security settings for gpt.ini, which suggested changes couldn't be

> made as it was read only, but it appeared to make changes all the

> same as all existing security groups were removed from the list.

>

> I can now no longer edit group policy.

>

> Any help?

>

> Many thanks.

>

> Tony

Guest Tonky

Guest Tonky

Posted
Posted

Re: lockdown desktop without Group Policy

 

Thanks for the reply Vera. Made a bit of a mess there!

 

The Owner is: Unable to display current owner.

In the Change Owner to: Administrator is listed

 

There are no Users or Groups listed under the Security tab.

 

BTW: the procedure did succeed in locking down the Shut Down button for all

standard Remote Desktop User accounts as hoped, only I can now no longer

effect any other changes. I will revert changes as suggested by TP in the

next thread, but I still need to figure out how to lock it down, including

certain Apps, Server browsing, web browsing, etc.

 

Further help is appreciated.

 

Kind rgards

 

Tony

--

Always hands on and keen to learn.

 

 

"Vera Noest [MVP]" wrote:

> First of all: a DC is *not* a standalone server!

> A standalone server (i.e. a server in a workgroup) is only

> subjected to it's local policy, nothing else. A DC is subject to

> Group Policies in the domain.

>

> Can you check who is the current owner of gpt.ini? Right-click

> gpt.ini - properties - scecurity - advanced - owner.

> And what exactly is listed in the security tab? Any accounts at all

> there? With which permissions?

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?VG9ua3k=?= <Tonky@discussions.microsoft.com> wrote on 26

> okt 2007 in microsoft.public.windows.terminal_services:

>

> > Dear Vera

> >

> > I have a similar issue, but on a Server 2003 R2 SP1 box which is

> > a DC and so I followed the instructions for GP Editor as

> > suggested by TP. All seemed to go well until accessing the

> > desktop shortcut created in the last step. A Command prompt

> > appears requesting the gpedit password. When I attempt to type

> > it in, nothing appears but the Command Line disappears launching

> > Group Policy Editor saying access denied.

> >

> > Something obviously went wrong, which could stem back to editing

> > the security settings for gpt.ini, which suggested changes

> > couldn't be made as it was read only, but it appeared to make

> > changes all the same as all existing security groups were

> > removed from the list.

> >

> > I can now no longer edit group policy.

> >

> > Any help?

> >

> > Many thanks.

> >

> > Tony

>

Guest Tonky

Guest Tonky

Posted
Posted

Re: lockdown desktop without Group Policy

 

Dear TP

 

I kind of moosed that up a bit so thanks for the "Get out of jail card".

Once I revert the settings, I will still need to lock the Server down in

terms of what the TS users are able to access. Some will be running different

apps from each other but none will be permitted to gain access to the file

structure on the Server.

 

I would apprecaite further help bearing in mind it is a DC.

 

Many thanks

 

Tony

--

Always hands on and keen to learn.

 

 

"TP" wrote:

> Hi Tony,

>

> The instructions are *not* meant for use on a DC.

>

> Please reset the permissions on the GroupPolicy folder to

> default using the following instructions:

>

> 1. Logon to the DC as an administrator

>

> 2. Open up windows explorer and browse to the following

> folder (make sure that view hidden files is enabled):

>

> C:\WINDOWS\system32\GroupPolicy

>

> 3. Right-click on the GroupPolicy folder and choose Properties

> - Security tab - Advanced button - Owner tab

>

> 4. Select Administrators for the owner and check "Replace

> owner on subcontainers and objects", click OK and Yes

>

> 5. Close the GroupPolicy folder Properties window

>

> 6. Right-click on the GroupPolicy folder and choose Properties

> - Security tab - Advanced button - Permissions tab

>

> 7. Use the Add & Remove buttons as needed until you have

> *only* the following Permissions entries in the list:

>

> Allow Authenticated Users Read & Execute <not inherited> This folder, subfolders and files

> Allow Server Operators Read & Execute <not inherited> This folder, subfolders and files

> Allow Administrators Full Control <not inherited> This folder, subfolders and files

> Allow CREATOR OWNER Full Control <not inherited> Subfolders and files only

> Allow SYSTEM Full Control <not inherited> This folder, subfolders and files

>

> Note: Read & Execute consists of the following individual

> permissions, check all of them when adding the entry:

>

> Traverse Folder / Execute File

> List Folder / Read Data

> Read Attributes

> Read Extended Attributes

> Read Permissions

>

> 8. Check "Replace permission entries on all child objects with

> entries shown here that apply to child objects"

>

> 9. Click OK and then Yes to confirm

>

> Thanks.

>

> -TP

>

> Tonky wrote:

> > Dear Vera

> >

> > I have a similar issue, but on a Server 2003 R2 SP1 box which is a DC

> > and so I followed the instructions for GP Editor as suggested by TP.

> > All seemed to go well until accessing the desktop shortcut created in

> > the last step. A Command prompt appears requesting the gpedit

> > password. When I attempt to type it in, nothing appears but the

> > Command Line disappears launching Group Policy Editor saying access

> > denied.

> >

> > Something obviously went wrong, which could stem back to editing the

> > security settings for gpt.ini, which suggested changes couldn't be

> > made as it was read only, but it appeared to make changes all the

> > same as all existing security groups were removed from the list.

> >

> > I can now no longer edit group policy.

> >

> > Any help?

> >

> > Many thanks.

> >

> > Tony

>

  • 1 month later...
Guest Tonky

Guest Tonky

Posted
Posted

Re: lockdown desktop without Group Policy

 

I may have done more damage than at first thought!

 

I followed TP's repair procedure to revert settings, and have just tried to

edit Group Policy with the admin account, but all options are greyed out.

 

Please help. We have just added a new user to the Domain and although that

went okay, they cannot access file shares. I went to look at gpedit.msc and

noticed the greyed out problem.

 

Please help.

 

Thanks

--

Always hands on and keen to learn.

 

 

"Tonky" wrote:

> Dear TP

>

> I kind of moosed that up a bit so thanks for the "Get out of jail card".

> Once I revert the settings, I will still need to lock the Server down in

> terms of what the TS users are able to access. Some will be running different

> apps from each other but none will be permitted to gain access to the file

> structure on the Server.

>

> I would apprecaite further help bearing in mind it is a DC.

>

> Many thanks

>

> Tony

> --

> Always hands on and keen to learn.

>

>

> "TP" wrote:

>

> > Hi Tony,

> >

> > The instructions are *not* meant for use on a DC.

> >

> > Please reset the permissions on the GroupPolicy folder to

> > default using the following instructions:

> >

> > 1. Logon to the DC as an administrator

> >

> > 2. Open up windows explorer and browse to the following

> > folder (make sure that view hidden files is enabled):

> >

> > C:\WINDOWS\system32\GroupPolicy

> >

> > 3. Right-click on the GroupPolicy folder and choose Properties

> > - Security tab - Advanced button - Owner tab

> >

> > 4. Select Administrators for the owner and check "Replace

> > owner on subcontainers and objects", click OK and Yes

> >

> > 5. Close the GroupPolicy folder Properties window

> >

> > 6. Right-click on the GroupPolicy folder and choose Properties

> > - Security tab - Advanced button - Permissions tab

> >

> > 7. Use the Add & Remove buttons as needed until you have

> > *only* the following Permissions entries in the list:

> >

> > Allow Authenticated Users Read & Execute <not inherited> This folder, subfolders and files

> > Allow Server Operators Read & Execute <not inherited> This folder, subfolders and files

> > Allow Administrators Full Control <not inherited> This folder, subfolders and files

> > Allow CREATOR OWNER Full Control <not inherited> Subfolders and files only

> > Allow SYSTEM Full Control <not inherited> This folder, subfolders and files

> >

> > Note: Read & Execute consists of the following individual

> > permissions, check all of them when adding the entry:

> >

> > Traverse Folder / Execute File

> > List Folder / Read Data

> > Read Attributes

> > Read Extended Attributes

> > Read Permissions

> >

> > 8. Check "Replace permission entries on all child objects with

> > entries shown here that apply to child objects"

> >

> > 9. Click OK and then Yes to confirm

> >

> > Thanks.

> >

> > -TP

> >

> > Tonky wrote:

> > > Dear Vera

> > >

> > > I have a similar issue, but on a Server 2003 R2 SP1 box which is a DC

> > > and so I followed the instructions for GP Editor as suggested by TP.

> > > All seemed to go well until accessing the desktop shortcut created in

> > > the last step. A Command prompt appears requesting the gpedit

> > > password. When I attempt to type it in, nothing appears but the

> > > Command Line disappears launching Group Policy Editor saying access

> > > denied.

> > >

> > > Something obviously went wrong, which could stem back to editing the

> > > security settings for gpt.ini, which suggested changes couldn't be

> > > made as it was read only, but it appeared to make changes all the

> > > same as all existing security groups were removed from the list.

> > >

> > > I can now no longer edit group policy.

> > >

> > > Any help?

> > >

> > > Many thanks.

> > >

> > > Tony

> >

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: lockdown desktop without Group Policy

 

I think that your best option at this point is to call Microsoft

Support. Since it's not clear what went wrong, it's nearly

impossible to fix it with advice from a newsgroup, and you'll only

risk to make the damage even bigger.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

 

=?Utf-8?B?VG9ua3k=?= <Tonky@discussions.microsoft.com> wrote on 17

dec 2007:

> I may have done more damage than at first thought!

>

> I followed TP's repair procedure to revert settings, and have

> just tried to edit Group Policy with the admin account, but all

> options are greyed out.

>

> Please help. We have just added a new user to the Domain and

> although that went okay, they cannot access file shares. I went

> to look at gpedit.msc and noticed the greyed out problem.

>

> Please help.

>

> Thanks

 Share
Go to topic listing
×
×
  • Create New...