Removing Additional Permissions Granted to Terminal Services Users
This article was previously published under Q238965
This article has been archived. It is offered "as is" and will no longer be updated.
To allow older programs to run correctly under Terminal Services in Windows 2000, additional permissions are granted to Terminal Services users. This article describes how to remove these additional permissions.
You can remove the additional permissions by using the Notssid.inf security template in the %SystemRoot%\Security\Templates folder. After you apply the Notssid.inf security template, the system has the same default permissions as a standard Windows 2000-based server, but with Terminal Services enabled. To apply this security template:
- At a command prompt, type cd /d %systemroot%\security\templates folder, and then press ENTER.
- Type secedit /configure /db notssid.sdb /cfg notssid.inf [/log notssid.log]/verbose, and then press ENTER
- At a command prompt, type cd /d %systemroot%\inf, and then press ENTER.
- Type secedit /configure /cfg defltsv.inf /db defltsv.sb /log defltsv.log /verbose, and then press ENTER.
Users logging on to the server interactively will be made a member the TERMINAL SERVER USER group if the Permission Compatibility setting in the Terminal Services Configuration snap-in is 'Permissions compatible with Terminal Server 4.0 users'.
The snap-in manipulates the registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\TSUserEnabled (REG_DWORD)If TSUserEnabled=0x00000001, then all users logging on to a session on the server will be made a member of the TERMINAL SERVER USER group, with greater access to some files, directories and registry keys.
If TSUserEnabled=0x00000000, no-one will be a member of the built-in group, although it will still be visible in the Object Picker.
If you still require the TERMINAL SERVER USER group for administration, you can remove the additional permissions by using the Notssid.inf securitytemplate in the %SystemRoot%\Security\Templates folder.
Article ID: 238965 - Last Review: 12/05/2015 15:28:50 - Revision: 2.2
Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Datacenter Server
- kbnosurvey kbarchive kbenv kbinfo kbtermserv KB238965