Skip navigation

JSI Tip 3507. What Group Policies do I implement to lock down a Windows 2000 Terminal Services session?

To lock down a Terminal Servies session on a Windows 2000 client, you SHOULD create a new OU (Organizational Unit):

1. Use the Active Directory Users and Computers snap-in. On the Action menu, press New and Organizational Unit. Type a Name and press OK.

2. Right-click the new OU and press Properties.

3. Select the Group Policy tab and press New. Type a name for the new policy and press ENTER.

4. Edit the new policy and Enable:

  • (Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options)

  • Do not display last user name in logon screen
    Restrict CD-ROM access to locally logged-on user only
    Restrict floppy access to locally logged-on user only
  • (Computer Configuration\Administrative Templates\Windows Components\Windows Installer)
  • Disable Windows Installer (Set it to Always)
  • (User Configuration\Windows Settings\Folder Redirection)
  • Application Data
    My Documents
    Start Menu
  • (User Configuration\Administrative Templates\Windows Components\Windows Explorer)
  • Remove Map Network Drive and Disconnect Network Drive
    Remove Search button from Windows Explorer
    Disable Windows Explorer's default context menu
    Hides the Manage item on the Windows Explorer context menu
    Hide these specified drives in My Computer (Enable this setting for A through D.)
    Prevent access to drives from My Computer (Enable this setting for A through D.)
    Hide Hardware Tab
  • (User Configuration\Administrative Templates\Windows Components\Task Scheduler)
  • Prevent Task Run or End
    Disable New Task Creation
  • (User Configuration\Administrative Templates\Start Menu & Taskbar)
  • Disable and remove links to Windows Update
    Remove common program groups from Start Menu
    Disable programs on Settings Menu
    Remove Network & Dial-up Connections from Start Menu
    Remove Search menu from Start Menu
    Remove Help menu from Start Menu
    Remove Run menu from Start Menu
    Add Logoff to Start Menu
    Disable and remove the Shut Down command
    Disable changes to Taskbar and Start Menu Settings
  • (User Configuration\Administrative Templates\Desktop)
  • Hide My Network Places icon on desktop
    Prohibit user from changing My Documents path
  • (User Configuration\Administrative Templates\Control Panel)
  • Disable Control Panel
  • (User Configuration\Administrative Templates\System)
  • Disable the command prompt (Set Disable scripts to No)
    Disable registry editing tools
  • (User Configuration\Administrative Templates\System\Logon/Logoff)
  • Disable Task Manager
    Disable Lock Computer

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.