Removing Additional Permissions Granted to Terminal Services Users

Article translations Article translations
Article ID: 238965 - View products that this article applies to.
This article was previously published under Q238965
Expand all | Collapse all

SUMMARY

To allow older programs to run correctly under Terminal Services in Windows 2000, additional permissions are granted to Terminal Services users. This article describes how to remove these additional permissions.

MORE INFORMATION

You can remove the additional permissions by using the Notssid.inf security template in the %SystemRoot%\Security\Templates folder. After you apply the Notssid.inf security template, the system has the same default permissions as a standard Windows 2000-based server, but with Terminal Services enabled. To apply this security template:
  1. At a command prompt, type cd /d %systemroot%\security\templates folder, and then press ENTER.
  2. Type secedit /configure /db notssid.sdb /cfg notssid.inf [/log notssid.log]/verbose, and then press ENTER
You can restore the default permissions for Terminal Service users (including the default permissions and policies for all users) by using the Defltsv.inf template in the %SystemRoot%\Inf folder. Use the following steps:
  1. At a command prompt, type cd /d %systemroot%\inf, and then press ENTER.
  2. Type secedit /configure /cfg defltsv.inf /db defltsv.sb /log defltsv.log /verbose, and then press ENTER.
Microsoft recommends that you test security templates that modify file system and registry permissions before implementation on production servers. NOTE: To allow older programs to run correctly under Terminal Services in Windows 2000, additional permissions are granted to Terminal Services users. This is implemented with the TERMINAL SERVER USER group, which has access to certain files, directories and registry keys that normal users do not.

Users logging on to the server interactively will be made a member the TERMINAL SERVER USER group if the Permission Compatibility setting in the Terminal Services Configuration snap-in is 'Permissions compatible with Terminal Server 4.0 users'.

The snap-in manipulates the registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\TSUserEnabled (REG_DWORD)
If TSUserEnabled=0x00000001, then all users logging on to a session on the server will be made a member of the TERMINAL SERVER USER group, with greater access to some files, directories and registry keys.

If TSUserEnabled=0x00000000, no-one will be a member of the built-in group, although it will still be visible in the Object Picker.

If you still require the TERMINAL SERVER USER group for administration, you can remove the additional permissions by using the Notssid.inf security template in the %SystemRoot%\Security\Templates folder.

Properties

Article ID: 238965 - Last Review: February 28, 2007 - Revision: 2.2
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
Keywords: 
kbenv kbinfo kbtermserv KB238965

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com