Document directory
- The information in this article applies:
Summary
On a Windows 2000-based computer, you can use the Group Policy to lock the Terminal Server session. After the following settings are performed, access to the Administrator account is restricted. We strongly recommend that you create a new organizational unit instead of modifying the policy of an existing organizational unit.
Note:: Using these policies does not guarantee computer security. They can only be used as a general guide. More information
Use "Active Directory users and computers" to create a new organization unit (OU ). Right-click the ou and clickAttributeAnd thenGroup PolicyClickNew policy. Use the following settings to edit this policy:
- [Computer Configuration \ management template \ System \ group policy]
Enable the following settings:
Processing Method of inverse User Group Policy
- [Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options]
Enable the following settings:
Do not display the username of the Last Logon on the logon screen
CD-ROM is accessible only to locally logged-on users
Only Local login users can access the floppy disk
- [Computer Configuration \ management template \ Windows component \ Windows Installer]
Enable the following settings and set itAlways:
Disable Windows Installer
- [User Configuration \ Windows Settings \ Folder Redirection]
Enable the following settings:
Application Data
Desktop
My Documents
"Start" menu
- [User Configuration \ management template \ Windows component \ Windows Resource Manager]
Enable the following settings:
Delete ing network drive and disconnect network drive"
Delete Search button from Windows Resource Manager
Disable Windows resource manager's default context menu
Hide the "manage" project in the context menu of Windows Resource Manager
Hide these specified drives in my computer(Enable this setting for drive a to drive D .)
Prevent access to the drive from my computer(Enable this setting for drive a to drive D .)
Hide the hardware Tab
- [User Configuration \ management template \ Windows component \ Task Scheduler]
Enable the following settings:
Prevents tasks from running or stopping
Disable "create new task"
- [User Configuration \ management template \ taskbar and Start Menu]
Enable the following settings:
Disable and delete the "Windows Update" Link
Delete A public program group from the Start Menu
Disable programs on the settings menu
Delete "network and dial-up connections" from the "Start" menu"
Delete the search menu from the Start Menu
Delete the "help" command from the "Start" menu
Delete the "run" menu from the "Start" menu
Add "logout" to the "Start" menu
Disable and delete the "shutdown" command
Do not change the settings of the "Taskbar and" start "menu
- [User Configuration \ management template \ Desktop]
Enable the following settings:
Hide the "Network Neighbor" icon on the desktop
Prohibit users from changing the path of "My Documents"
- [User Configuration \ management template \ Control Panel]
Enable the following settings:
Disable Control Panel
Important: After this setting is enabled, the administrator cannot install any MSI package on the terminal server even if the explicit "deny" permission is set for the Administrator account.
- [User Configuration \ management template \ System]
Enable the following settings:
Disable Command Prompt(SetDisable scriptsSetNo)
Disable registry editing tool
- [User Configuration \ management template \ System \ login/logout]
Enable the following settings:
Disable Task Manager
Disable "lock computer"
For information about locking Windows Server 2003 Terminal Server sessions, visit the following web page:
Http://www.microsoft.com/downloads/details.aspx? Familyid = 7f272fff-9a6e-40c7-b64e-7920e6ae6a0d & displaylang = en
The information in this article applies:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
Latest updates: |
2004-6-16 (4.0) |
Keywords: |
Kbhowto kbnetwork kb278295 |
Microsoft and/or its suppliers do not declare the applicability of files published on the server and the information contained in the graphics for any purpose. All such documents and related figures are provided "in accordance with the sample" without warranty of any nature. Microsoft and/or its suppliers hereby declare that they shall not be liable for all warranties and conditions relating to such information, such warranties and conditions include all implied warranties and conditions regarding merchantability, conformity with specific purposes, ownership and non-infringement. In all circumstances, in any lawsuit arising from or relating to the use or operation of information on the server, microsoft and/or its suppliers shall not be liable for any special, indirect or consequential losses or any type of losses caused by loss of use, data or profit, whether such litigation is a contract lawsuit, negligence or other infringement lawsuit.