[SaberZ]

We recently got a new server which is going to be strictly used for our Warehouses to connect through Terminal Services. Now we want to lock the individuals out of certain areas on this machine without the locks effecting the Administrator account.

Using the GPEDIT.msc and the built in terminal services script pathing we are unable to execute the vbs script under non-administrator accounts. It would create the keys we need under HKCU/Software/Microsoft/Windows/CurrentVersion/Policies(sp?)

Under the accounts there is no /System after policies and the scripting we are using is made to create the key so as to enforce our restrictions. But when logging in, we recieve an error, about permissions. Other than increasing the accounts privledge status/dont want to make them anywhere near admins, and (tried power users ect) is there a way to make this work? We can edit other parts of the registry except whats under Policies.


I'm lost on this

[MiDKnYtE]

I don't have a win2k server box in front of me at the moment, but I'll take a shot at it.

you could add a runas line to the login script. runas an administrator account just for that command. however, you would have to make sure that the users could not see the script with the logon information. there might be a policy to hide login script, but you'll have to search for it.

http://www.jsiinc.com/SUBF/Tip2500/rh2548.htm

[SaberZ]

At home right now, will definetly give it a try later tonight or over this weekend by connecting to the server to give it a shot. Has been driving me an my buddy insane.

[SaberZ]

Ok I tried using runas, and basically we log in with administrative credentials on the users system, but the changes only apply to the administrator login. This is getting ridiculously over complicated, there has to be a way to do the following:

*Its 1 machine, with 3 users remote connecting through Terminal Services. We want to lock out the 3 users from certain areas/applications on the machine without it affecting the administrator account.

-So far login scripts effect all accounts including administrator.

-So far runas does the same as above, makes changes under the runas user. Useless to run it as one of the above 3 users since they do not have privledges to edit the portion of the registry we need.

Any other suggestions? Anyone?

[MiDKnYtE]

from what you wrote in the first post, it seemed like you needed to get admin rights to install something. now you are saying that you want to create restrictions on nonadmin accounts through a script? runas would get you around needed temporary admin rights to install .reg files, but that doesn't seem to be what you want.

did you create a separate OU just for those users and apply a login script just to that OU? sounds like you are using a domain OU policy, which would affect all users including admins.

[PangingJr]

i don't mean to be rude, if you are out of ideas, out of time. try going to one of the google groups below, you'll have to sign up for google account if you don't have one, post your question there, you can also included in you message to ask for any suggestions as to where your should post your question or any groups to look into.

microsoft.public.win2000.networking
http://groups.google.com/groups?hl=e...000.networking

comp.admin.policy
http://groups.google.com/groups?hl=e...p.admin.policy

[SaberZ]

Not giving up, nor am I out of time. I thought it was clear in the first post, guess it wasn't.


But yes its correct I want to create restrictions on nonadmin accounts through a script.


BTW whats an OU?


If you mean Groups, we have them into their own seperate group. Will keep on trying, and no your not being rude Ctrl-Alt, appreciate your referal, since I need to get all the information I can.

[MiDKnYtE]

OU is an organizational unit. it is different from a group. groups can be part of an OU. Create a separate OU for your remote users group and apply a login script via group policy.

go here to learn about Active Directory OUs: http://labmice.techtarget.com/

[SaberZ]

Hey thanks a lot guys, finally got it !