Group Policy

J

John

I read an article on locking down Terminal Server using
the group poilicy editor however, it also applis the
policy to the administrator. Does anyone have a way
around this. I would like the users to be restricted,
but when I log in as admin to do some maint. work I can't
do it while restricted.

Thanks

John
 
S

Seaver

Dear John,

Thank you for your posting.

According to your post, you want a workaround to prevent Administrator
being lock down in group policy.

If I have misunderstood your concern please don't hesitate to let me know.

You can use Group Policies to lock down a Terminal Server session on a
Windows 2000-based computer. With the following settings, even the
administrator account will have restricted access. It is highly recommended
that you create a new Organizational Unit instead of modifying the polices
on an existing one.

Note: The use of these policies does not guarantee a secure computer, and
you should use them only as a guideline.

For more instructions please refer to the following article:

278295 How to Lock Down a Windows 2000 Terminal Server Session
http://support.microsoft.com/?id=278295

Sincerely,


Seaver Ren

Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security
 
C

Cláudio Rodrigues

Just deny access (NTFS) to the administrator on the GP object on the system
(file) and it will not apply to the administrator.

--
Cláudio Rodrigues, MVP
Windows 2000/NT Server
Terminal Services

http://www.terminal-services.NET

-> The only Terminal Services Client for DOS.
-> The only customized RDP5.1 client with the close button disabled! :)
-> Developers of SecureRDP, the BEST security utility for TS!

Do NOT email me directly UNLESS YOU KNOW ME or you are a Microsoft
MVP/Employee.
Use my support page on my website to submit your questions directly.
 
R

Richard

"John"
I read an article on locking down Terminal Server using
the group poilicy editor however, it also applis the
policy to the administrator. Does anyone have a way
around this. I would like the users to be restricted,
but when I log in as admin to do some maint. work I can't
do it while restricted.
Click to expand...

If you are using a GPO in Active Directory, do the following :
- select "Properties" on the OU containing your TS server,
- in the "Group Policy" tab, select the GPO and click "Properties",
- in the "Security" tab, you can "Deny" the "apply Group policy" for the
administrator.

For some reasons, I had sometime to exclude nonimatively the "Administrator"
account. For simply excluding the administrators group would do any effect.
(Just don't deny "read" to administrator, for you will have some troubles
editing it ...)

--Richard.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Force users to Log Off rather than Disconnect....Please help. 4
A Few Group Policy Questions 1
A Few Group Policy Questions 2
local admin on vista 2
Group Policy restrictions 1
Local Drive sharing using Remote Desktop 0
Group policy 1
Group Policy 4

Top