pearl

Vera
That seems to work fine but it also restricted the administrator. How can I
get back into the server as the administrator and apply the policy to all
users EXCEPT the administrator? I now don't have run nor any of the items I
activated...which is good for the users but not for the administrator.

vera noest [mvp]

That's one of the disadvantages of local policies, they don't allow
security filtering.
TP posted a way around this a while ago:

From: "TP" <tperson.knowspamn@mailandnews.com>
Subject: Re: local policy and terminal server
Date: Wed, 8 Nov 2006 16:59:42 -0500
Newsgroups: microsoft.public.windows.terminal_services

Here are the instructions for a standalone 2003 server, which can
be summarised with:
1. create a group and user (steps 1 - 4)
2. set permissions and ownership on three folders and a file (
steps 5 - 23)
3. create a shortcut (steps 24 - 27)

INITIAL SETUP

This should be done before attempting any changes to
Group Policy settings.

1. Logon as an administrator
2. Open up Computer Management from Administrative Tools
3. Create a new local group named "GP Editors"
4. Create a new local user named "gpedit". Assign this user
a password, and check "password never expires". Make
this user a member of the GP Editors group.
5. Open up windows explorer and browse to the following
folder (make sure that view hidden files is enabled):
C:\WINDOWS\system32\GroupPolicy
6. Right-click on the GroupPolicy folder and Properties - Security
- Advanced
7. Click the Add button, enter GP Editors in the Select User or
Group dialog, and click OK
8. Check Full Control under the Allow column, and click OK
9. Check "Replace permission entries on all child objects with
entries shown here that apply to child objects"
10. Click the Apply button and confirm Yes twice.
11. On the Owner tab, click the Other Users and Groups button,
enter GP Editors, and click OK.
12. Check "Replace owner on subcontainers and objects"
13. Make sure GP Editors is selected in the Change Owner to list.
14. Click the OK button to change the owner, click OK to close
the GroupPolicy Properties
15. Within the GroupPolicy folder, right-click on the Machine
folder, and choose Properties - Security
16. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column
17. Click OK to save the Deny permission you just made, confirm
by answering Yes twice
18. Within the GroupPolicy folder, right-click on the User folder,
and choose Properties
19. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column
20. Click OK to save the Deny permission you just made, confirm
by answering Yes twice
21. Within the GroupPolicy folder, right-click on the gpt.ini file,
and choose Properties
22. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column
23. Click OK to save the Deny permission you just made, confirm
by answering Yes twice
24. Right-click on the desktop and choose New-->Shortcut
25. Enter the following in the location box:
runas /user:gpedit "%windir%\system32\mmc gpedit.msc"
26. Click Next, and enter "Edit Group Policy" for the name
27. Click Finish

MODIFYING GROUP POLICY SETTINGS

1. Logon using the account you used for the intitial setup
2. Double-click on the Edit Group Policy shortcut
3. Enter the password for the gpedit account
4. Edit the policies as needed

__________________________________________________ _______
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

lanwench [mvp - exchange]

If users on this server will be accessing any AD resources at all, putting
this box in a DMZ is beyond foolish.