2000 Terminal server Policy in NT4 Domain

[Rearview]

I would like to apply a policy to just one computer (Windows 2000 Adv Server). It is being used as a terminal server. I want someone logging into that machine to have this policy, but I want to make this policy NOY apply to administrators.
I know in the NT4 policy editor I can create a domain policy for a group (applies to all machines) and I can make a policy for a machine (applies to all users). I want it to apply to one group on one machine. Please give me your input. Thanks,

 

[KatherineCoombs]

Why not just apply the policy such that Apply Group Policy is only granted to that machine, and deny Administrators that Policy?

 

[Rearview]

What do you mean "Apply Group Policy?"

 

[KatherineCoombs]

Are using Windows 2000 Active Directory?

Right click on the OU or Domain or whatever and go to the Group Policy tab. Create the Group Policy if you haven't already and then on the Properties of that Group Policy set the security level so that it is expressly denied to administrators, but granted to that machine.

 

[Rearview]

No Active Directory. As stated in the thread title, I have an NT4 domain. I'm having a hard time with this. I assume by your post, and others I've seen, that this IS possible with Active Directory, but that doesn't helpme too much at this point... Does anyone know about a 2k member server in an NT4 domain?

 

[Galrahn]

I had a very similar problem recently and came up with a slick solution after a bit of research. You will have to research some yourself to get it to work right, but for the most part, it can be done. You will also need to be very comfortable around the Windows Registry to solve your problem.

Group Policy is nothing more than a glorified GUI interface for editing the registry. The problem is, some group policies are machine specific, and some are user specific. Without Active Directory, there is no way to apply specific settings on a user basis for machine specific policies, only user specific policies.

Recently I was involved in a prototype rollout of the Tablet PC for Microsoft in one of our hospitals. The problem we had was that these hospitals had not been upgraded to Active Directory, but the tablet PCs had to be locked down using Group Policy. The trick was, all users needed to have locked down settings except administrators. The answer to our problem allowed us to make the same changes to our W2K Terminal Servers in our old NT 4.0 Domains, which is exactly what your looking for.

To begin, you need to go to

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/gpref.asp

and print the entire page. The planning process is required if you are going to do a good job. Once you print out the entire document, highlight all of the group policies you are going to apply.

User specific changes are made to any registry keys entry under the HKCU\ Keys. HKEY_CURRENT_USER settings need to be first configured for how you want the administrators policy to be. You must force a definition for each Policy, even if you force the policy to be disabled. Once you complete changes to all of your policy configurations, disabling each one or configuring each one as you want, you then export the specific Group Policy registry hives you want to keep.

Example, if you change the Group Policy for User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins and enable administrator access to Device Manager MMC for administrators, you need to export that key to a reg file.

Once you have completely defined all Group Policies for your administrator account, and exported all of your reg files, combine the reg files into one large reg file.

Now lock down the Terminal Server using Group Policy for how you want all users to be configured. Remember, because Group Policy effects all users, you are effectively locking down administrator accounts and everyone else at the same time.

Once you finish your Policy configuration that you want for all users, log in as the account you want exempt from the Group Policy and run the reg file you created earlier. Because HKCU settings are user specific, those settings have now been overwritten by what was applied by the group policy. Now log off to save those settings for that user.

Each User who needs to be exempt from the Group Policy settings needs to log in and run the reg file in order to be exempt. All settings in Group Policy under the HKEY_LOCAL_MACHINE are still applied to the administrator accounts, and there is nothing you can do about this without Active Directory, but for the most part you have secured a Server with Group Policy without prohibiting the administrator account from being able to work on the server... and all without Active Directory.

It is always a good idea to configure your Reg File in a test enviornment and verify it many times over before using on a production server.

Galrahn

 

[Rearview]

Wow, that is a lot of information. I'll attempt it I suppose. I'll keep you posted on it.