Re: Need help configuring security on a stand alone terminal server.

LOL

TP wrote:
Below are the instructions for a standalone 2003 server.
They allow you to set group policy settings that *only*
apply to normal users, and permit you to edit the policies
when needed. They will *not* allow you to edit some
items under the local security settings, for example,
audit, password policy, user rights, etc.

I have an updated version that does not suffer from the
above limitation, but it is currently written on one of my
notepads. You can work around the limitation by making
required changes to the local security settings tree *before*
starting the INITIAL SETUP below.

Or if I get a chance I will type up the changes for you. :)

INITIAL SETUP

This should be done before attempting any changes to
Group Policy settings.

1. Logon as an administrator

2. Open up Computer Management from Administrative
Tools

3. Create a new local group named "GP Editors"

4. Create a new local user named "gpedit". Assign user
a password, and check password never expires. Make
this user a member of the GP Editors group.

5. Open up windows explorer and browse to the following
folder (make sure that view hidden files is enabled):

C:\WINDOWS\system32\GroupPolicy

6. Right-click on the GroupPolicy folder and choose Properties

7. On the Security tab, click the Advanced button

8. Click the Add button, enter GP Editors in the Select User or
Group dialog, and click OK

9. Check Full Control under the Allow column, and click OK

10. Check "Replace permission entries on all child objects with
entries shown here that apply to child objects"

11. Click the Apply button and confirm Yes twice.

12. On the Owner tab, click the Other Users and Groups button,
enter GP Editors, and click OK.

13. Check "Replace owner on subcontainers and objects"

14. Make sure GP Editors is selected in the Change Owner to list.

15. Click the OK button to change the owner, click OK to close
the GroupPolicy Properties

16. Within the GroupPolicy folder, right-click on the Machine folder,
and choose Properties

17. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column

18. Click OK to save the Deny permission you just made, confirm
by answering Yes twice

19. Within the GroupPolicy folder, right-click on the User folder,
and choose Properties

20. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column

21. Click OK to save the Deny permission you just made, confirm
by answering Yes twice

22. Within the GroupPolicy folder, right-click on the gpt.ini file,
and choose Properties

23. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column

24. Click OK to save the Deny permission you just made, confirm
by answering Yes twice

25. Right-click on the desktop and choose New-->Shortcut

26. Enter the following in the location box:

runas /user:gpedit "%windir%\system32\mmc gpedit.msc"

27. Click Next, and enter Edit Group Policy for the name

28. Click Finish

MODIFYING GROUP POLICY SETTINGS

1. Logon using the account you used for the intitial setup

2. Double-click on the Edit Group Policy shortcut

3. Enter the password for the gpedit account

4. Edit the policies as needed

-TP

Håkon Galstad wrote:
Hello. I have a stand alone terminal server and need some help
setting up security.

Since this computer is not a domain server im a little lost where i
can do the proper configuration. I have made a group called
TermSRVusers and put all users that i have created under local user
and that should have right to log on trough terminal server in this
group.
Now i wonder how i can inactivate control panel, IE, and other stuff
from those users. When i use local security policy i do this for all
users including the Administrator, so i need help to make policy
changed for only the group TermSRVusers.

Can anyone help me?

Best Regards
Håkon
MCP

.