Setting up default Desktop for clients

  • Thread starter Thread starter Andy Roman
  • Start date Start date
A

Andy Roman

Hello,

I was just wondering if someone would care who could
suggest a way setting up a default desktp for TS clients.
Basically I need the desktop only, with no access to
control panel or the drives... Thanks

Andy
p.s. Its tough cause I cant seem to get our office apps
to work without them having admin rights to the c: drive..
yikes!!! ;o)
 
You can secure your users desktop and remove Control Panel,
Shutdown option and more by using Group Policies.
You can also use Group Policies to hide the drives on the Terminal
Server, but this has a cosmetic effect only. This means that users
will still be able to access the drives in a number of ways (from
a command prompt, from the Save as dialogue in a number of
applications). You will have to use NTFS permissions on the server
drives to secure your file system. Giving users Administrator
priviledges should never be necessary.
Please repost with the exact problem and error messages that users
get when they try to run Office without Administrator priviledges,
and I'm sure that we can find a better solution.

278295 - How to Lock Down a Windows 2000 Terminal Services Session
http://support.microsoft.com/?kbid=278295

260370 - How to Apply Group Policy Objects to Terminal Services
Servers
http://support.microsoft.com/?kbid=260370

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

Securing Windows 2000 Terminal Services
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/win2kts/maintain/optimize/secw2kts.asp
 
1. Customize Default User Settings. Logon as a non-administrative user, customize the way you want the desktop to look, i.e. desktop icons, IE Favorites, Desktop Color, Personalized menus... Logoff, then logon as an administrative user, go to the User Profiles section of the System Control Panel and copy the source profile to c:\documents and settings\Default User, so any new user logging on will inherit the settings you defined. This is always a good place to start, but doesn't stop anyone from changing your default settings.

2. Lockdown desktop with Group Policy

https://s.microsoft.com/technet/tre...ndowsserver2003/maintain/security/TrmLckD.asp

3. Figure out what exact file system, registry permissions or system rights your programs need to function properly. Microsoft Office for example doesn't need to write to the C Drive or the Program Files directories, so you can lock down these directories, so non-admin users only get Read/Execute to these directories (leave system & administrators with full permissions). There are good tools from Wininternals.com called regmon & filemon to determine exactly which files or registry keys a poorly designed application is trying to write to.

4. You may also have users launch just the application they need on your TS by customizing a RDP file with Remote Desktop, or by changing the startup application in their user account, if they only use one.

Patrick Rouse
Microsoft MVP - Terminal Server
 
Back
Top