how can I limit ts local user on a stand alone server?

Discussion in 'Server Security' started by alex, Apr 27, 2009.

  1. alex

    alex Guest

    I have a 2003 srv stand alone (not domain), I need to limit some teminal
    server user, for exmple not shut down, remove items from start menu and
    other things that are easy to do with gpo and domain.
    I've tryed to modify the local policy, section user, but the the policy are
    applyed to ALL users, included administrator.
    How can I make a local policy and have it appied only to some users?
    Thank you
    Alex
     
    alex, Apr 27, 2009
    #1
    1. Advertisements

  2. Hello Alex,

    You can edit for some security settings the "Local security policy", Local
    policies, User rights assignment:
    "Shut down the system"

    Additional have a look at this article:
    http://support.microsoft.com/kb/325351

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Apr 27, 2009
    #2
    1. Advertisements

  3. alex

    alex Guest

    yes but then the policy apply to all users, included administrator!!
     
    alex, Apr 27, 2009
    #3
  4. alex

    alex Guest

    sorry, I've read just now the article... Thank you!
     
    alex, Apr 27, 2009
    #4
  5. Hello Alex,

    For the "shut down the system" setting you add the groups that are allowed
    to do it. So you can only use the administrators group. For the rest you
    have the article as you saw.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Apr 27, 2009
    #5
  6. alex

    alex Guest

    I've tryed with the article, but if administrator run gpupdate / force the
    policy are reapplyed also to administrator.
     
    alex, Apr 27, 2009
    #6
  7. Hello Alex,

    If you follow the steps in the article there is no need to run gpupdate command.
    The machine is a workgroup machine and not only disconnected from a domain?

    Best regards

    Meinolf Weber


     
    Meinolf Weber [MVP-DS], Apr 27, 2009
    #7
  8. alex

    alex Guest

    it's a workgroup server. I follow the article and it works fine, but if
    somebody runs gpupdate the stict policy is reapplyed to administrator. In
    this case administrator will loose his role...
    Maybe I can try to deny administrator read permission on registry.pol ...

     
    alex, Apr 27, 2009
    #8
  9. Hello Alex,

    Reconfigure gpupdate.exe permissions for administrators only. I can not test
    it in the moment. Maybe i will find later on some time.

    Best regards

    Meinolf Weber


     
    Meinolf Weber [MVP-DS], Apr 28, 2009
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.