This article was previously published under Q278295
You can use Group Policies to lock down a Terminal Server session on a Microsoft Windows Server 2003-based or Microsoft Windows 2000-based computer. With the following settings, even the administrator account will have restricted access. It is highly recommended that you create a new organizational unit instead of modifying the policies on an existing one.
Note The use of these policies does not guarantee a secure computer, and you should use them only as a guideline.
Use Active Directory Users and Computers to create a new organizational unit (OU). Right-click the OU, click Properties, and then on the Group Policy tab, click New Policy. Edit this policy with the following settings:
Enable the following setting, and set it to Always:
Disable Windows Installer
Note The default setting for Disable Windows Installer prevents any non-managed applications from being installed by a non-administrator. Setting Disable Windows Installer to Always may prevent some of the newer updates from Windows Update from being applied. Therefore, we recommend that you only set Disable Windows Installer to Always if there is a specific need or an identified threat that you must address.
Remove Map Network Drive and Disconnect Network Drive Remove Search button from Windows Explorer Disable Windows Explorer's default context menu Hides the Manage item on the Windows Explorer context menu Hide these specified drives in My Computer (Enable this setting for A through D.) Prevent access to drives from My Computer (Enable this setting for A through D.) Hide Hardware Tab
[User Configuration\Administrative Templates\Start Menu & Taskbar]
Enable the following settings: Disable and remove links to Windows Update Remove common program groups from Start Menu Disable programs on Settings Menu Remove Network & Dial-up Connections from Start Menu Remove Search menu from Start Menu Remove Help menu from Start Menu Remove Run menu from Start Menu Add Logoff to Start Menu Disable changes to Taskbar and Start Menu Settings Disable and remove the Shut Down command or Remove and prevent access to the Shut Down command
Note In Windows 2000, this setting is named Disable and remove the Shut Down command. In Windows Server 2003, this setting is named Remove and prevent access to the Shut Down command.
Dsacls.exe is a command-line tool that you can use to query the security attributes and to change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services. You can use Dsacls.exe to lock out Terminal Services end-users from files and folders on a Windows Server 2003-based computer or a Microsoft Windows 2000-based computer.
For more information about how to use the Dsacls.exe tool (Dsacls.exe) to manage access control lists (ACLs) for directory services in Windows Server 2003 and Microsoft Windows 2000 Server, click the following article number to view the article in the Microsoft Knowledge Base:
281146 How to use Dsacls.exe in Windows Server 2003 and Windows 2000