Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How to prevent access to control panel for users but not for admin?
- Thread starter isterios
- Start date
mattjurado
MIS
Or simply create a new group policy. Add a group for your users that has the rights to read and apply, enabled. Add a group for your administrators, and the right to read, but for apply, set it to deny.
Matt J.
Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
Matt J.
Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
- Thread starter
- #4
mattjurado
MIS
I did post something you might want to consider.
Matt J.
Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
Matt J.
Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
salsero328
IS-IT--Management
Did you follow up with this suggestion: from mattjurado
"Or simply create a new group policy. Add a group for your users that has the rights to read and apply, enabled. Add a group for your administrators, and the right to read, but for apply, set it to deny.:
"Or simply create a new group policy. Add a group for your users that has the rights to read and apply, enabled. Add a group for your administrators, and the right to read, but for apply, set it to deny.:
Hi -
I'm trying to do the same thing.
Am Citrix newbie (XPs FR3/W2K3).
Am trying to follow mattjurado suggestion - but not sure if I'm in the right place. Went into Group Policy Editor - but can't see where to "create a new group policy ...etc." Can you provide a little more detail?
Thanks for any help ...
I'm trying to do the same thing.
Am Citrix newbie (XPs FR3/W2K3).
Am trying to follow mattjurado suggestion - but not sure if I'm in the right place. Went into Group Policy Editor - but can't see where to "create a new group policy ...etc." Can you provide a little more detail?
Thanks for any help ...
mattjurado
MIS
Here are instructions that will help you create a policy and save an icon for it to your desktop. These are notes I wrote for 2000, but should be similar for 2003, if not exact.
Go to Start>Run>MMC. This opens Console1.
Click Console>Add/Remove Snap-In. You'll see a list of Snap-Ins. Click Add, Group Policy, Add. Now you'll have to
define what Group Policy you want to Administer. Click Browse, and right click in the white box that has the default Group Policies, and click New. Type a name for it, then click Finish, then Close, then OK. You'll have added your Group Policy Snap-In to your MMC Console1. Right Click on the name of the Group Policy, and click Properties.
Choose the Security tab. Click Add, and add the group that contains the users you want to apply the policy to (in your case, I would create a group called terminal users). Give them the Read & Apply Group Policy rights under the Allow column. Also add the Domain Administrators group, but give
them the right Apply Group Policy under the Deny column. This is very important, it ensures that this policy does
not affect your administrators.
Now you need to define what is in the policy. The one you are looking for would be User Configuration>Administrative Templates>Control Panel. On the right, open the Disable Control Panel policy, and enable it. There are many other useful policies for terminal services users, go through and explore them. The one thing to practice is if you are going to make multiple changes here, do them ONE AT A TIME! If you get an unexpected result, you'll know which one caused it, and you can quickly undo it.
Save Console1 before you exit (probably to your desktop), and give it a friendly name.
Matt J.
Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
Go to Start>Run>MMC. This opens Console1.
Click Console>Add/Remove Snap-In. You'll see a list of Snap-Ins. Click Add, Group Policy, Add. Now you'll have to
define what Group Policy you want to Administer. Click Browse, and right click in the white box that has the default Group Policies, and click New. Type a name for it, then click Finish, then Close, then OK. You'll have added your Group Policy Snap-In to your MMC Console1. Right Click on the name of the Group Policy, and click Properties.
Choose the Security tab. Click Add, and add the group that contains the users you want to apply the policy to (in your case, I would create a group called terminal users). Give them the Read & Apply Group Policy rights under the Allow column. Also add the Domain Administrators group, but give
them the right Apply Group Policy under the Deny column. This is very important, it ensures that this policy does
not affect your administrators.
Now you need to define what is in the policy. The one you are looking for would be User Configuration>Administrative Templates>Control Panel. On the right, open the Disable Control Panel policy, and enable it. There are many other useful policies for terminal services users, go through and explore them. The one thing to practice is if you are going to make multiple changes here, do them ONE AT A TIME! If you get an unexpected result, you'll know which one caused it, and you can quickly undo it.
Save Console1 before you exit (probably to your desktop), and give it a friendly name.
Matt J.
Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
- Thread starter
- #10
Hi,
You could try:-
Start | Run | gpedit.msc
Then only add in the .cpl files you want in option:-
User Configuration
Administrative Templates
Control Panel
Show only specified control panel applets
This does it for everyone but you can work round it!
Cheers,
Carl.
You could try:-
Start | Run | gpedit.msc
Then only add in the .cpl files you want in option:-
User Configuration
Administrative Templates
Control Panel
Show only specified control panel applets
This does it for everyone but you can work round it!
Cheers,
Carl.
- Status
Similar threads
- Question
- Locked
- Question