Re: Locking Down Terminal Server in Workgroup environment

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From Vera's webiste (http://ts.veranoest.net)

: How can I lock down my standalone TS with a local policy without locking down the Administrator account?
Last modified: September 9, 2007

A: If your TS is not part of an Active Directory domain, you are limited to using the local policy on the server in stead of a domain GPO. One of the disadvantages is that you can't use security filtering on a local policy, as you can with AD-based Group Policies.
But here's a way around this limitation:

1. Logged on as Administrator, create a local group named "GP Editors" and a local user named "gpeditor". Make gpeditor a member of the GP Editors group
2. Add the GP Editors group to the Security - Advanced - Permissions tab of the folder C:\WINDOWS\system32\GroupPolicy. Check "Full Control - Allow" and "Replace permission entries on all child objects with entries shown here that apply to child objects"
3. On the Security - Advanced - Owner tab, change ownership to the GP Editors group, checking "Replace owner on subcontainers and objects"
4. On the Security tab of the Machine and User subfolders and the gpt.ini file in C:\WINDOWS\system32\GroupPolicy, change the permissions for Administrators to "Full Control - Deny"
5. Create a shortcut on the desktop with the command:
runas /user:gpeditor "%windir%\system32\mmc gpedit.msc" and name it "Edit Local Policy"


Jeff Pitsch
Microsoft MVP - Terminal Services

Jabooty wrote:
I have a Terminal Server in a Workgroup environment that I would like to lock
down to limit user access. I would like to configure a Group to drop users in with the restricted rights as you would in an AD environment, because I do
not want administrative accounts to have the restrictions. Is this possible
in a workgroup and if so, how to I go about doing it? Any other
recommendations or best practices are welcome.
.

Relevant Pages

  • Re: disabled administrator account
    ... Have you opened the local policy and checked whether ... the policy for Administrator account status is set to Enabled? ... This is in the computer section, Windows settings, security ...
    (microsoft.public.windows.server.security)
  • Re: Local Security Policy on domain controller?
    ... A google search for "security configuration templates" turns up a fair ... Some settings require a reboot and others don't. ... >> It's so close to affecting the local policy that I probably shouldn't ... >> it will affect local security policy, ...
    (microsoft.public.win2000.security)
  • Re: HELP - Local policy database is corrupted
    ... I found that subfolders under security are gone. ... I copied these folders from other win2k pc, and I could opened the local ... HELP - Local policy database is corrupted ... > "Windows cannot open the local policy database. ...
    (microsoft.public.win2000.security)
  • Re: Administrator account not accessible
    ... Was able to logon as the guest and then run the command. ... Entering a password then brings up a box name console1 where I can add the snap in computer management. ... Create a new administrator account> to troubleshoot with or just check the policy to ensure you've not locked> yourself out as stated by Dennis. ... I get the message The local policy of this system does>> not ...
    (microsoft.public.win2000.active_directory)
  • Re: Information Wanted: Sec Conf Analysis Tool WITHOUT AD
    ... Some security settings won't take effect until after a reboot. ... The log files in %windir%\security are used for database ... only have local policy so the computer acts like a standalone server. ...
    (microsoft.public.win2000.security)