Re: Locking Down TS Sessions

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: David Everett [MSFT] (deverett_at_online.microsoft.com)
Date: 03/16/04 

Date: Tue, 16 Mar 2004 14:34:07 -0600

On the Security tab of the loopback "lockdown" GPO you can check the Deny
"Apply Group Policy" for Domain Admins. Authenticated Users will continue
to have Read and Apply Group Policy set to Allow and the policy will still
be applied against the machine. However, the explicit Deny for Domain
Admins will prevent the policy from being applied to Administrators (or any
other group you explicitly Deny). 

-- 
David Everett
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
"pdx" <anonymous@discussions.microsoft.com> wrote in message
news:F8978246-8A2B-46A4-AD6E-E318146EC8E4@microsoft.com...
> Related to locking down a TS, I've read both kb260370 and kb231287 but my
situation is that the server running Term Services in App Mode is also going
to be running some other software that the Administrator will have to
adminster and use. If I enable Loopback Processing - as far as I know - the
Administrator functionality will be limited and locked down along with that
of users.
> 260370 explains a non-loopback procedure, but for obvious reasons, only
deals with computer configuration GPO options and, unfortunately, the
computer config options don't include the main things I want to lock down
such as most all the user configuration options listed in 278295.
> I realize that the removal of Read/AGP access doesn't work when loopback
processing is enabled, so my question is, how do I lock down as Term
Services sessions for the users but still allow the Administrator regular,
unlimited/non-locked down access to the local machine?
>
> Thanks

Relevant Pages

  • Re: Administrator Locked out
    ... an admin, remove the Deny and promptly use gpedit to revert the ... Simplify Group Policy Troubleshooting with the NEW GPExpert ... out the administrator from entering into the Group Policy Object ...
    (microsoft.public.windows.group_policy)
  • Re: Run application on remote login
    ... configure loopback processing of the GPO: ... Administrator Accounts and Selected Users in Windows Server 2003 ... 231287 - Loopback Processing of Group Policy ... MCSE, CCEA, Microsoft MVP - Terminal Server ...
    (microsoft.public.windows.terminal_services)
  • Re: Group policy problem (XP alone and XP with NT server)
    ... as when I try to remove my computer and deny the administrator read ... permissions I might force myself into a blind corner:) ... You set up your group policy ... > to deny read permissions for the Administrators group. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Administrator restricted - Control Panel Missing
    ... If you did not specifically set up Group Policy to restrict access to ... The command net users will display user accounts and net user username will ... type of administrator. ... the control panel was missing. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Run application on remote login
    ... Microsoft MVP - Terminal Services ... Policy in group policy management where administrators is listed, allowed permissions are Read (from security filtering) right click gives options 'Read, Edit settings, Edit settings, delete, modify' but nothing to say 'deny apply this policy'. ... Add the Administrator account. ...
    (microsoft.public.windows.terminal_services)