Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Politicas de Grupo
Aplicar una GPO para un Terminal Services Server
Hola a todos otra vez! Luego de un largo tiempo sin publicar nada, me animo a escribir
algo. La tardanza ha sido en parte por el tiempo (o la falta de el), en parte (en gran parte)
por haraganería, pero mayormente porque me gusta escribir cosas que sean de utilidad y
de relevancia para los que se animen a leer este blog y me gusta esperar tener algo para
escribir que valga la pena, así que espero no equivocarme con este post :D. Entrando en
el tema, no se si les ha pasado esto: Tiene un su compañía un servidor de Terminal
Services al que algunos usuarios del dominio accederán de manera regular para realizar
algunas tareas especificas o ejecutar alguna aplicacion. Pero como los usuarios son del
dominio puede ser que tengan ciertas Políticas de Grupos (GPO) aplicadas que
correspondan al OU que pertenecen o al grupo, y quisieramos que cuando inicien sesion
en el Terminal Services Server se le aplique una Política mas restrictiva que la que se le
aplica en su computadora. Por ejemplo, digamos que un usuario del dominio se le aplica
una GPO que le permite tener acceso a los discos de su computadora y a algunos items
del Panel de Control, pero este usuario necesita ejecutar algunas aplicaciones accediendo
remotamente a un servidor Terminal Services, pero queremos que este no pueda acceder
a los discos en este servidor, que no pueda entrar al Control Panel, etc. Para esto
necesitamos que se le aplique una GPO especifica pero solo cuando haga Login en el
equipo especifico, en este caso el Terminal Services Server.
Para esto lo primero que tenemos que hacer es crear un OU y mover a esta el o los
servidores Terminal Services en el cual aplicaremos la política, por ejemplo, la OU la
podríamos llamar "Terminal_Services_Sever". En el siguiente gráfico se muestra la OU
que contiene un equipo llamado "TERMINAL_SRV_01".
Una vez hemos creado nuestro OU, abriremos la consola "Group Policy Management",
esta consola se utiliza para administrar las políticas de grupo del dominio, viene incluida
en Windows Server 2008 pero también puede utilizarse en Windows Server 2003, pero
debe descargarse aparte. Si no la tienen la pueden descargar aquí. Cuando hayamos
abierto la consola Group Policy Management, nos dirigimos a la nueva OU que creamos
(Terminal_Services_Server) y hacemos clic derecho encima de esta, luego seleccionamos
la opción "Create a GPO in this domain, and Link it here..." como se muestra en el
siguiente gráfico:
Al hacer clic en esta opción se nos pedirá un nombre para la nueva GPO, en este caso
elegí el nombre "Terminal_GPO". Cuando le hayamos puesto el nombre, nos aparecerá
el link de la GPO debajo de la OU que creamos, como se muestra en el siguiente gráfico.
Aquí debemos hacer clic derecho ahora encima de la GPO y seleccionamos "Edit..."
Se abrirá entonces la ventana del Editor de la Política de Grupo que acabamos de crear,
aquí nos dirigiremos a la seccion "Computer Configuration" luego nos moveremos a
"Policies" (en Windows Server 2003 este paso no es necesario), luego a "Administrative
Templates", "System" y por ultimo hacemos clic encima de "Group Policy". Aquí
buscamos la directiva "User Group Policy loopback processing mode", como se muestra
en el siguiente gráfico:
Con esto lo que hacemos es indicarle al equipo donde se aplique, en el caso de nuestro
ejemplo al servidor Terminal Service, que no aplique al usuario que se loguea la política
de grupo del dominio que corresponde al usuario, sino que la reemplace con la que se
indica en esta misma politica. Una vez hacemos clic en aceptar, podemos movernos en el
Editor de la Política a la sección "User Configuration" y personalizar el entorno de los
usuarios que se conectaran a este Terminal Services como querramos, sin preocuparnos
de que esta Política se le vaya a aplicar a los usuarios en sus computadoras también.
Bueno, esto ha sido todo por ahora. Espero como siempre que les haya sido de utilidad.
http://www.eltipodeinformatica.com/2011/11/aplicar-una-gpo-para-un-terminal.html
Most corporate are at some point required to show a legal notice prior to logging on
to a computer. This is normally configured by group policy.
The problem comes in if you want to remove the legal notice from a machine.
If the policies does not define a value or a value of "" nothing is written to the
registry.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"LegalNoticeCaption"=""
"LegalNoticeText"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Policies\System]
"legalnoticecaption"=""
"legalnoticetext"=""
Remeber - to make this a permanent fix you need to ensure that there is no GPO is
re-enforcing the legal notice.
http://fixmyitsystem.com/2013/03/interactive-login-legal-notice-removal.html
310430 How to configure Windows Server 2003 to display a message when users log on
http://support.microsoft.com/default.aspx?scid=kb;EN-US;310430
It seems there is a security policy setting that helps us accomplish this task. So, we follow the article and, Figure 1 shows the results.
Now, notice our Legal Notice on a Windows Vista SP1 computer and on Windows Server 2003 computer
Where is the formatting? How quickly we go from pretty to… “not so pretty”. There’s no way we are going to let the legal department see
this. We have to fix it. But first, let’s briefly explain why this is happening.
This problem originates from Windows NT 4; when we added Legal Notice Text to the operating system. At that time, it was a single string
and did not support carriage returns. We made several attempts to change this behavior shortly after Windows 2000. Interestingly enough,
those changes resulted in using a comma (,) as a delimiter for the carriage return. Kinda cool huh?…. Not! Eight years later, legal council
craft very concise legal goo—which just might have a few commas included within the text. Then, administrators would have to enclose
grammatical commas in quotation marks so Windows would not parse it as a carriage return. That didn’t work well. In Windows Server
2003, we changed the editor to accept a carriage return; now allowing you to format your text within the policy, as we did in the example.
Well, that only solves the comma problem because there was not a change on Windows parses the strings. Windows now inserts the commas
and quotes for you when it writes the policy setting. And, as you can see in our example; we started with two paragraphs or more and ended
with a single blob of text in window. Lastly, this behavior has not changed with Windows Server 2008 or Windows Vista Service Pack 1.
So—how do I format this text?
You need to use a script to have your legal notice text appear properly formatted. Figure 4 shows a script you can use in a computer startup
script (not a user logon script). The script writes the legal notice text to the policy registry key—just as if it were applied using the security
policy settings. But, the script allows you to keep your formatting.
Here is the code for the script. Copy and paste this code into a text file. Be sure to save the text file with a .vbs extension or it will not run
correctly. Each command should appear on its own line (no text wrapping) as some of the text in the example is wrapped for readability.
‘==========================================================================
‘
‘ VBScript Source File —
‘
‘ NAME: legal.vbs
‘
‘ AUTHOR: Mike Stephens , Microsoft Corporation
‘
‘ DATE: 11/26/2007
‘
‘ COMMENT: sample computer startup script to deploy legalcaption and legaltext
‘
‘ ==========================================================================
strLegalText = “”
strLegalText = strLegalText & “The easiest way is to insert the entire paragraph on one
line, between the quotation marks.” & vbcrlf &vbcrlf
‘ Copy the line above and repeat for each paragraph in the legal notice.
‘ Remember it is best to limit your notice to two paragraph that contain no more than 4
‘ sentences.
You’ll want to modify the sample code from Figure 4 to include your legal notice. Let me explain the script and which part requires your
modifications.
Line 3-5:
Const POLICY_KEY = “HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\”
Const LEGAL_CAPTION_VALUENAME = “legalnoticecaption”
Const LEGAL_TEXT_VALUENAME = “legalnoticetext”
These lines create what is called a constant. Constants mean just that- they remain constant—their values cannot change; unlike the values of
a variable, which can change. Line 3 is representative of the registry key location to which the script writes. Line 4 holds the registry value
name for the legal caption (title of the dialog box) while line 5 holds the value of the legal text (message in the dialog box). Constants work
similarly to search and replace features found in text editors and word processors. When Windows runs the script, it looks at the constants
declared in the script and then searches the remainder of the script for those words which are designated as constants. It then replaces the
word with the assigned value. Then, Windows continues running the script.
Line 6: strLegalText = “”
Line 6 creates a variable named strLegalText and assigns and empty string to the variable. The is equivalent to a blank line (without a
carriage return).
Line 7:
strLegalText = strLegalText & “The easiest way is to insert the entire paragraph on one
line, between the quotation marks.” & vbcrlf & vbcrlf
This line is the important line. This line defines the text of your legal notice ( the text appearing in the dialog box). The registry value name
LegalNoticeText is a single string value. Therefore, the script must concatenate your entire legal text notice into one line of text, to include
carriage returns. The first part of line 7 shows strLegalText = StrLegalText &. This command phrase handles concatenating your paragraphs
into a single line of text; so we can write it into the single string registry value. The next phrase in the script is between the quotation marks.
This represents the first paragraph of your legal notice. You’ll want to paste the entire paragraph between the quotation marks. The best way
to do this is paste your paragraph into notepad ensuring that word wrap is off (click Format from the menu to ensure there is not a check next
to Word Wrap). Position the cursor to the end of the first line. Use the delete key to move the text on the next to the current line. Be sure to
keep your spaces. Follow this process until the entire paragraph is on one line (you’ll more than likely have to scroll to the right. Make sure
you have an opening and closing quotation marks. It is likely your script will fail if the command is not on a single line.
Important
Quotation mark (“) represents the beginning and end of string when using Vbscript. Any
alpha-numeric characters between the quotation marks, including spaces is included in the
string—just like if you were typing a long file name as an argument for a command line
application. Be certain your legal text does not include any quotation marks. If possible, you
single quote marks (‘).
Copy and paste your original line 7 and repeat the above for each paragraph you want included in your legal text. Things to look for are:
Inserting quotation marks between the beginning and ending quotation marks.
My legal text notice in this example is three paragraphs with the last paragraph being a single sentence. Therefore, lines 7-9 will look similar
for my example script (wrapped for readability—these are three separate commands on three separate lines).
strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und Rechten geboren. Sie
sind mit Vernunft und Gewissen begabt und sollen einander im Geist der Brüderlichkeit begegnen.” &
vbcrlf & vbcrlf
strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und Rechten geboren. Sie
sind mit Vernunft und Gewissen begabt und sollen einander im Geist der Brüderlichkeit begegnen.” &
vbcrlf & vbcrlf
strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und Rechten geboren.” &
vbcrlf & vbcrlf
These two lines do all the work. Both lines use the Windows Scripting Host shell object to write to the registry of the local computer. This is
accomplished using the RegWrite method. The first parameter to the RegWrite method is the full registry path (hive and value name). The
second parameter is the value the script writes into the value name. The last parameter is the data type if the value name—in this case both
value are strings, which are REG_SZ data types.
Line 8 uses the POLICY_KEY constant and the LEGAL_CAPTION_VALUENAME constant to build the path to which the scripts writes.
StrLegalCaption is the variable we used to hold the value of the legal caption. Line 9 uses the POLICY_KEY constant and the
LEGAL_TEXT_VALUENAME constant to build the path to which the script writes. StrLegalText is the variable we used to hold the value
of the legal text.
Below is the example script created for contoso.com’s legal text notice, which is based on the sample script from Figure 4.
‘==========================================================================
‘
‘ VBScript Source File —
‘
‘ NAME: legal.vbs
‘
‘ AUTHOR: Mike Stephens , Microsoft Corporation
‘
‘ DATE: 11/26/2007
‘
‘ COMMENT: sample computer startup script to deploy legalcaption and legaltext
‘
‘ ==========================================================================
strLegalText = “”
strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und Rechten geboren. Sie sind mit Vernunft und
Gewissen begabt und sollen einander im Geist der Brüderlichkeit begegnen.” & vbcrlf & vbcrlf
strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und
Rechten geboren. Sie sind mit Vernunft und Gewissen begabt und sollen einander im
Geist der Brüderlichkeit begegnen.” & vbcrlf & vbcrlf
strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und
Rechten geboren.” & vbcrlf & vbcrlf
‘ Copy the line above and repeat for each paragraph in the legal notice.
‘ Remember it is best to limit your notice to two paragraph that contain no more than 4
‘ sentences.
If you can, disable your existing Group Policy object that contains your legal text notice security policy settings. Now, create a new Group
Policy object and assign this at the level appropriate for your environment. Configure this GPO with a computer startup script and include
your script. Refresh Group Policy and then logoff your workstation. Press CTRL+ALT+DEL.
https://blogs.technet.microsoft.com/askds/2008/02/08/deploying-legal-notices-to-
domain-computers-using-group-policy/
How To Configure
Legal Notices On
Domain Computers
Using Group Policy
Posted by Prajwal Desai
22 Comments
63654 Views
Home
Windows Server
49
Facebook12
Twitter20
Google+2
LinkedIn1
Love This1
Email0
WhatsApp
Print13
Pinterest0
Gmail
Digg
Del
Tumblr
Reddit
Xing0
Line
SMS
Telegram
How To Configure Legal Notices On Domain Computers Using Group Policy – Few years ago
when i was working on Windows Server 2008 R2, I was told by my manager to configure a logon
banner. What came to my mind was to write a script for it and run the script at logon. There are 2
ways to configure legal notices on domain computers, you can configure it by writing a script and
executing it at the logon or configuring legal notice using a group policy. I believe the second
method is very easy. You can configure Windows Server to display a message to users when they
log on. You can use the message display functionality to personalize the logon process, provide
news or information, and for other similar purposes. The message appears after the user presses
CTRL+ALT+DEL and disappears after the user clicks OK.
In this post we will see on how to configure legal notices on domain computers using group policy.
We will create a group policy, modify the policy settings and link it to the domain. I am configuring
this policy on a domain controller running Windows server 2008 R2 SP1 edition.
Login to the domain controller machine with the administrator account. Click on Start, Click on
Administrative Tools, Click on Group Policy Management. Under Domains, right click your
domain and click on Create a GPO in this domain, and link it here.
http://prajwaldesai.com/how-to-configure-legal-notices-on-domain-computers-using-
group-policy/
How To Restrict Access To Drives In My Computer In Windows
If you have a shared or public computer that several people use, you might want to
restrict access to it’s drives to prevent users from deleting important data. Today
we look at restricting access to some or all drives on the machine using Local
Group Policy.
Note: This method uses Local Group Policy Editor which is not available on home
versions of Windows 7 or Vista
First type gpedit.msc in the search box of the Start Menu and hit Enter.
Note: This setting won’t prevent users from using programs that access the local
drives.
The restrictions take effect immediately, no restart is required. When a user opens
up My Computer they’ll be able to see which drives are listed, but when they try to
access a restricted drive, they’ll get the following error message.
For the screenshots in this tutorial we used Windows 7 Ultimate, but this process
also works with XP Professional and Vista (not in Home versions) the screens just
look different.
Local Group Policy allows you to customize several settings for how you want to
administer your machine. Restricting access to certain drives in addition to other
security and access measures, can help keep a shared computer stable and
secure.
http://www.howtogeek.com/howto/8035/how-to-restrict-access-to-drive-in-my-
computer-on-windows/
Currently, when a user creates an RDP session or a RemoteApp program, they can see, and in some cases transverse, drives C and D of the
RD Session Host server. They can also save anything on the desktop, which might look like their personal desktop, but it’s actually the
desktop of the RD Session Host server.
Restrictions will disable Libraries and Favorites and will hide or restrict users or a group of users from accessing and viewing any drives on
the RD Session Host server. Users will be provided with an error message even if they use the UNC path to access the drives.
The primary reason to remove Favorites and Libraries and access to drives is because they contain mostly accessed locations on a system, so
in the case of the RD Session Host server, this includes the desktop, downloads, recent places, etc. It is recommended that a user not save any
documents to these locations.
[HKEY_CLASSES_ROOTCLSID{323CA680-C24D-4099-B94D-446DD2D7249E}ShellFolder]
“Attributes”=dword:a0900100
Changing a0900100 to a9400100 will hide Favorites from the navigation pane.
The following settings are located in the Group Policy Management Console under User ConfigurationPoliciesAdministrative
TemplatesWindows ComponentsWindows Explorer:
Hide these specified drives in My Computer. You can remove the icons for specified drives from a user’s My Computer folder
by enabling this setting and using the drop-down list to select the drives you would like to hide. However, this setting does not
restrict access to these drives.
Prevent access to drives from My Computer. Enable this setting to prevent users from accessing the chosen combination of
drives. Use this setting to lock down the RD Session Host server for users accessing it for their primary desktop.
Applies to:
Hides the Manage item on the Windows Explorer context menu — Enabled
Applies to:
Windows 7
Windows Vista
Windows XP
https://blogs.msdn.microsoft.com/rds/2011/05/26/how-to-restrict-users-from-accessing-
local-drives-of-an-rd-session-host-server-while-using-remoteapp-programs/
Using Group Policy Objects to hide
specified drives
Email
SUMMARY
With Group Policy Objects in Windows, there is a "Hide these specified drives in My
Computer" option that lets you hide specific drives. However, it may be necessary to
hide only certain drive, but retain access to others.
There are seven default options for restricting access to drives. You can add other
restrictions by modifying the System.adm file for the default domain policy or any
custom Group Policy Object (GPO). The seven default selections are:
Microsoft does not recommend to change the System.adm file, but instead to create a
new .adm file and import this .adm into the GPO. The reason is that if you apply
changes to the system.adm file, these changes might get overwritten if Microsoft
releases a new version of the system.adm file in a Service Pack.
MORE INFORMATION
The default location of the System.adm file for a default domain policy is:
%SystemRoot%\Sysvol\Sysvol\YourDomainName\Policies\{31B2F340-016D-11D2-945F-
00C04FB984F9}\Adm\System.adm
The contents of these folders are replicated throughout a domain by the File
Replication service (FRS). Note that the Adm folder and its contents are not populated
until the default domain policy is loaded for the first time.
To make changes to this policy for one of the seven default values:
1. Start the Microsoft Management Console. On the Console menu, click Add/Remove
Snap-in.
2. Add the Group Policy snap-in for the default domain policy. To do this, click Browse
when you are prompted to select a Group Policy Object (GPO). The default GPO is Local
Computer. You can also add GPOs for other domain partitions (specifically,
Organizational Units).
3. Open the following sections: User Configuration, Administrative Templates, Windows
Components, and Windows Explorer.
4. Click Hide these specified drives in My Computer.
5. Click to select the Hide these specified drives in My Computer check box.
These settings remove the icons representing the selected hard disks from My
Computer, Windows Explorer, and My Network Places. Also, these drives do not appear
in the Open dialog box of any programs.
This policy is designed to protect certain drives, including the floppy disk drive, from
misuse. It can also be used to direct users to save their work to certain drives.
To use this policy, select a drive or combination of drives in the drop-down box. To
display all drives (hide none), disable this policy or click the Do not restrict drives
option.
This policy does not prevent users from using other programs to gain access to local
and network drives or prevent them from viewing and changing drive characteristics by
using the Disk Management snap-in.
The default values are not the only values that you can use. By editing the System.adm
file, you can add your own custom values. This is the portion of the System.adm to be
modified:
POLICY !!NoDrives
EXPLAIN !!NoDrives_Help
PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUI
RED
VALUENAME "NoDrives"
ITEMLIST
NAME !!ABOnly VALUE NUMERIC 3
NAME !!COnly VALUE NUMERIC 4
NAME !!DOnly VALUE NUMERIC 8
NAME !!ABConly VALUE NUMERIC 7
NAME !!ABCDOnly VALUE NUMERIC 15
NAME !!ALLDrives VALUE NUMERIC 67108863
;low 26 bits on (1 bit per drive)
NAME !!RestNoDrives VALUE NUMERIC 0 (Default
)
END ITEMLIST
END PART
END POLICY
[strings]
ABCDOnly="Restrict A, B, C and D drives only"
ABConly="Restrict A, B and C drives only"
ABOnly="Restrict A and B drives only"
ALLDrives="Restrict all drives"
COnly="Restrict C drive only"
DOnly="Restrict D drive only"
RestNoDrives="Do not restrict drives"
The [strings] section represents substitutions of the actual values in the drop-down box.
This policy displays only specified drives on the client computer. The registry key that
this policy affects uses a decimal number that corresponds to a 26-bit binary string,
with each bit representing a drive letter:
11111111111111111111111111
ZYXWVUTSRQPONMLKJIHGFEDCBA
This configuration corresponds to 67108863 in decimal and hides all drives. If you want
to hide drive C, make the third-lowest bit a 1, and then convert the binary string to
decimal.
It is not necessary to create an option to show all drives, because clearing the check
box deletes the "NoDrives" entry entirely, and all drives are automatically shown.
If you want to configure this policy to show a different combination of drives, create the
appropriate binary string, convert to decimal, and add a new entry to the ITEMLIST
section with a corresponding [strings] entry. For example, to hide drives L, M, N, and O,
create the following string
00000000000111100000000000
ZYXWVUTSRQPONMLKJIHGFEDCBA
and convert to decimal. This binary string converts to 30720 in decimal. Add this line to
the [strings] section in the System.adm file:
Add this entry in the ITEMLIST section above and save the System.adm file.
This creates an eighth entry in the drop-down box to hide drives L, M, N, and O only.
Use this method to include more values in the drop-down box. The modified section of
the System.adm file appears as follows:
POLICY !!NoDrives
EXPLAIN !!NoDrives_Help
PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUI
RED
VALUENAME "NoDrives"
ITEMLIST
NAME !!ABOnly VALUE NUMERIC 3
NAME !!COnly VALUE NUMERIC 4
NAME !!DOnly VALUE NUMERIC 8
NAME !!ABConly VALUE NUMERIC 7
NAME !!ABCDOnly VALUE NUMERIC 15
NAME !!ALLDrives VALUE NUMERIC 67108863
;low 26 bits on (1 bit per drive)
NAME !!RestNoDrives VALUE NUMERIC 0 (Default
)
NAME !!LMNO_Only VALUE NUMERI
C 30720
END ITEMLIST
END PART
END POLICY
[strings]
ABCDOnly="Restrict A, B, C and D drives only"
ABConly="Restrict A, B and C drives only"
ABOnly="Restrict A and B drives only"
ALLDrives="Restrict all drives"
COnly="Restrict C drive only"
DOnly="Restrict D drive only"
RestNoDrives="Do not restrict drives"
LMNO_Only="Restrict L, M, N and O drives only"
This [strings] section represents substitutions of the actual values in the drop-down
box.
For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
230263 HOW TO: Create custom MMC snap-in tools using Microsoft Management
Console
Properties
Applies to
https://support.microsoft.com/en-us/kb/231289