_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?UGVhcmw=?= <Pe...@discussions.microsoft.com> wrote on 07
sep 2007 in microsoft.public.windows.terminal_services:
Sure, many ways. For example, if you're using a standalone or member server
you can do a lot of things with *local* policies. But you may wish to be
more specific about what exactly you're trying to do, and why you're trying
to do it without group policy if you have it as an option....
I have GPMC and the server is Windows 2003 standard. I am advised that GPMC
will not allow us to configure these restrictions for the User so what other
options do I have?
Thanks in advance
=?Utf-8?B?UGVhcmw=?= <Pe...@discussions.microsoft.com> wrote on 07
sep 2007 in microsoft.public.windows.terminal_services:
> thanks for replying. What we'd like to do is setup only Local
From: "TP" <tperson....@mailandnews.com>
Subject: Re: local policy and terminal server
Date: Wed, 8 Nov 2006 16:59:42 -0500
Newsgroups: microsoft.public.windows.terminal_services
Here are the instructions for a standalone 2003 server, which can
be summarised with:
1. create a group and user (steps 1 - 4)
2. set permissions and ownership on three folders and a file (
steps 5 - 23)
3. create a shortcut (steps 24 - 27)
INITIAL SETUP
This should be done before attempting any changes to
Group Policy settings.
1. Logon as an administrator
2. Open up Computer Management from Administrative Tools
3. Create a new local group named "GP Editors"
4. Create a new local user named "gpedit". Assign this user
a password, and check "password never expires". Make
this user a member of the GP Editors group.
5. Open up windows explorer and browse to the following
folder (make sure that view hidden files is enabled):
C:\WINDOWS\system32\GroupPolicy
6. Right-click on the GroupPolicy folder and Properties - Security
- Advanced
7. Click the Add button, enter GP Editors in the Select User or
Group dialog, and click OK
8. Check Full Control under the Allow column, and click OK
9. Check "Replace permission entries on all child objects with
entries shown here that apply to child objects"
10. Click the Apply button and confirm Yes twice.
11. On the Owner tab, click the Other Users and Groups button,
enter GP Editors, and click OK.
12. Check "Replace owner on subcontainers and objects"
13. Make sure GP Editors is selected in the Change Owner to list.
14. Click the OK button to change the owner, click OK to close
the GroupPolicy Properties
15. Within the GroupPolicy folder, right-click on the Machine
folder, and choose Properties - Security
16. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column
17. Click OK to save the Deny permission you just made, confirm
by answering Yes twice
18. Within the GroupPolicy folder, right-click on the User folder,
and choose Properties
19. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column
20. Click OK to save the Deny permission you just made, confirm
by answering Yes twice
21. Within the GroupPolicy folder, right-click on the gpt.ini file,
and choose Properties
22. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column
23. Click OK to save the Deny permission you just made, confirm
by answering Yes twice
24. Right-click on the desktop and choose New-->Shortcut
25. Enter the following in the location box:
runas /user:gpedit "%windir%\system32\mmc gpedit.msc"
26. Click Next, and enter "Edit Group Policy" for the name
27. Click Finish
MODIFYING GROUP POLICY SETTINGS
1. Logon using the account you used for the intitial setup
2. Double-click on the Edit Group Policy shortcut
3. Enter the password for the gpedit account
4. Edit the policies as needed
If users on this server will be accessing any AD resources at all, putting
this box in a DMZ is beyond foolish.
I have a similar issue, but on a Server 2003 R2 SP1 box which is a DC and so
I followed the instructions for GP Editor as suggested by TP. All seemed to
go well until accessing the desktop shortcut created in the last step. A
Command prompt appears requesting the gpedit password. When I attempt to type
it in, nothing appears but the Command Line disappears launching Group Policy
Editor saying access denied.
Something obviously went wrong, which could stem back to editing the
security settings for gpt.ini, which suggested changes couldn't be made as it
was read only, but it appeared to make changes all the same as all existing
security groups were removed from the list.
I can now no longer edit group policy.
Any help?
Many thanks.
Tony
--
Always hands on and keen to learn.
Can you check who is the current owner of gpt.ini? Right-click
gpt.ini - properties - scecurity - advanced - owner.
And what exactly is listed in the security tab? Any accounts at all
there? With which permissions?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?VG9ua3k=?= <To...@discussions.microsoft.com> wrote on 26
okt 2007 in microsoft.public.windows.terminal_services:
The instructions are *not* meant for use on a DC.
Please reset the permissions on the GroupPolicy folder to
default using the following instructions:
1. Logon to the DC as an administrator
2. Open up windows explorer and browse to the following
folder (make sure that view hidden files is enabled):
C:\WINDOWS\system32\GroupPolicy
3. Right-click on the GroupPolicy folder and choose Properties
- Security tab - Advanced button - Owner tab
4. Select Administrators for the owner and check "Replace
owner on subcontainers and objects", click OK and Yes
5. Close the GroupPolicy folder Properties window
6. Right-click on the GroupPolicy folder and choose Properties
- Security tab - Advanced button - Permissions tab
7. Use the Add & Remove buttons as needed until you have
*only* the following Permissions entries in the list:
Allow Authenticated Users Read & Execute <not inherited> This folder, subfolders and files
Allow Server Operators Read & Execute <not inherited> This folder, subfolders and files
Allow Administrators Full Control <not inherited> This folder, subfolders and files
Allow CREATOR OWNER Full Control <not inherited> Subfolders and files only
Allow SYSTEM Full Control <not inherited> This folder, subfolders and files
Note: Read & Execute consists of the following individual
permissions, check all of them when adding the entry:
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Read Permissions
8. Check "Replace permission entries on all child objects with
entries shown here that apply to child objects"
9. Click OK and then Yes to confirm
Thanks.
-TP
The Owner is: Unable to display current owner.
In the Change Owner to: Administrator is listed
There are no Users or Groups listed under the Security tab.
BTW: the procedure did succeed in locking down the Shut Down button for all
standard Remote Desktop User accounts as hoped, only I can now no longer
effect any other changes. I will revert changes as suggested by TP in the
next thread, but I still need to figure out how to lock it down, including
certain Apps, Server browsing, web browsing, etc.
Further help is appreciated.
Kind rgards
Tony
--
Always hands on and keen to learn.
I kind of moosed that up a bit so thanks for the "Get out of jail card".
Once I revert the settings, I will still need to lock the Server down in
terms of what the TS users are able to access. Some will be running different
apps from each other but none will be permitted to gain access to the file
structure on the Server.
I would apprecaite further help bearing in mind it is a DC.
Many thanks
Tony
--
Always hands on and keen to learn.
I followed TP's repair procedure to revert settings, and have just tried to
edit Group Policy with the admin account, but all options are greyed out.
Please help. We have just added a new user to the Domain and although that
went okay, they cannot access file shares. I went to look at gpedit.msc and
noticed the greyed out problem.
Please help.
Thanks
--
Always hands on and keen to learn.
=?Utf-8?B?VG9ua3k=?= <To...@discussions.microsoft.com> wrote on 17
dec 2007: