Use Active Directory Users and Computers to create a new organizational unit (OU). Right-click the OU, click Properties, and then on the Group Policy tab, click New Policy. Edit this policy with the following settings:
\n[Computer Configuration\\Admin Templates\\System\\Group Policy]<\/p>\n
Enable the following setting:
\nUser Group Policy loopback processing mode
\n[Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options]<\/p>\n
Enable the following settings:
\nDo not display last user name in logon screen
\nRestrict CD-ROM access to locally logged-on user only
\nRestrict floppy access to locally logged-on user only
\n[Computer Configuration\\Administrative Templates\\Windows Components\\Windows Installer]<\/p>\n
Enable the following setting, and set it to Always:
\nDisable Windows Installer<\/p>\n
Note The default setting for Disable Windows Installer prevents any non-managed applications from being installed by a non-administrator. Setting Disable Windows Installer to Always may prevent some of the newer updates from Windows Update from being applied. Therefore, we recommend that you only set Disable Windows Installer to Always if there is a specific need or an identified threat that you must address.
\n[User Configuration\\Windows Settings\\Folder Redirection]<\/p>\n
Enable the following settings:
\nApplication Data
\nDesktop
\nMy Documents
\nStart Menu
\n[User Configuration\\Administrative Templates\\Windows Components\\Windows Explorer]<\/p>\n
Enable the following settings:
\nRemove Map Network Drive and Disconnect Network Drive
\nRemove Search button from Windows Explorer
\nDisable Windows Explorer’s default context menu
\nHides the Manage item on the Windows Explorer context menu
\nHide these specified drives in My Computer (Enable this setting for A through D.)
\nPrevent access to drives from My Computer (Enable this setting for A through D.)
\nHide Hardware Tab
\n[User Configuration\\Administrative Templates\\Windows Components\\Task Scheduler]<\/p>\n
Enable the following settings:
\nPrevent Task Run or End
\nDisable New Task Creation
\n[User Configuration\\Administrative Templates\\Start Menu & Taskbar]<\/p>\n
Enable the following settings:
\nDisable and remove links to Windows Update
\nRemove common program groups from Start Menu
\nDisable programs on Settings Menu
\nRemove Network & Dial-up Connections from Start Menu
\nRemove Search menu from Start Menu
\nRemove Help menu from Start Menu
\nRemove Run menu from Start Menu
\nAdd Logoff to Start Menu
\nDisable changes to Taskbar and Start Menu Settings
\nDisable and remove the Shut Down command or Remove and prevent access to the Shut Down command<\/p>\n
Note In Windows 2000, this setting is named Disable and remove the Shut Down command. In Windows Server 2003, this setting is named Remove and prevent access to the Shut Down command.
\n[User Configuration\\Administrative Templates\\Desktop]<\/p>\n
Enable the following settings:
\nHide My Network Places icon on desktop
\nProhibit user from changing My Documents path
\n[User Configuration\\Administrative Templates\\Control Panel]<\/p>\n
Enable the following setting:
\nDisable Control Panel
\nImportant When you enable this setting, you prevent administrators from installing any MSI package on to the Terminal Server, even if the explicit Deny is set for the Administrator account.
\n[User Configuration\\Administrative Templates\\System]<\/p>\n
Enable the following settings:
\nDisable the command prompt (Set Disable scripts to No)
\nDisable registry editing tools
\n[User Configuration\\Administrative Templates\\System\\Logon\/Logoff] <\/p>\n
Enable the following settings:
\nDisable Task Manager
\nDisable Lock Computer
\nFor more information about how to lock down Windows Server 2003 Terminal Server Sessions, visit the following Web site:
\nhttps:\/\/www.microsoft.com\/downloads\/details.aspx?FamilyID=7f272fff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en (https:\/\/www.microsoft.com\/downloads\/details.aspx?FamilyID=7f272fff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en)
\nThe Dsacls.exe tool
\nDsacls.exe is a command-line tool that you can use to query the security attributes and to change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services. You can use Dsacls.exe to lock out Terminal Services end-users from files and folders on a Windows Server 2003-based computer or a Microsoft Windows 2000-based computer.<\/p>\n
For more information about how to use the Dsacls.exe tool (Dsacls.exe) to manage access control lists (ACLs) for directory services in Windows Server 2003 and Microsoft Windows 2000 Server, click the following article number to view the article in the Microsoft Knowledge Base:
\n281146 (https:\/\/support.microsoft.com\/kb\/281146\/ ) How to use Dsacls.exe in Windows Server 2003 and Windows 2000 <\/p>\n","protected":false},"excerpt":{"rendered":"
Use Active Directory Users and Computers to create a new organizational unit (OU). Right-click the OU, click Properties, and then […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[12],"tags":[102,112],"class_list":["post-50","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-terminal-server","tag-uncategorized"],"_links":{"self":[{"href":"https:\/\/wp.rimfalt.se\/index.php?rest_route=\/wp\/v2\/posts\/50","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wp.rimfalt.se\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wp.rimfalt.se\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wp.rimfalt.se\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wp.rimfalt.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=50"}],"version-history":[{"count":0,"href":"https:\/\/wp.rimfalt.se\/index.php?rest_route=\/wp\/v2\/posts\/50\/revisions"}],"wp:attachment":[{"href":"https:\/\/wp.rimfalt.se\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=50"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wp.rimfalt.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=50"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wp.rimfalt.se\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=50"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}