To disable services through the Default Domain Policy Group Policy Object (GPO), open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, then open the domain root object's Properties dialog box. Go to the Group Policy tab, select Default Domain Policy, then click Edit to open the MMC Group Policy console, from which you can edit the GPO. Select the Computer Configuration\Windows Settings\Security Settings\System Services folder in the left-hand pane. The right-hand (aka details) pane lists the services currently installed on the local computer. Double-click the first service that you want to disable. This action opens the Security Policy Setting dialog box for the setting, such as the Telnet service dialog box that Figure A shows. Select the Define this policy setting check box to open the service's ACL, which determines who can start and stop the service.
The Telnet service's default ACL is too open, granting Full Control to the Everyone group. This setting would let anyone start the service manually. Click Advanced to open the service's Access Control Settings dialog box. On the Permissions tab, add and remove groups and appropriately limit permissions for each group (e.g., grant the Administrators group Full Control, grant the Authenticated Users group Read access). Click OK on both ACL dialog boxes to close them and return to the Security Policy Setting dialog box. Select the Disabled option and click OK. In the Group Policy console, the Telnet service now shows a setting of Disabled in the Startup column and Configured in the Permission column. Repeat this process for the other services you want to disable by default.
