Microsoft KB Archive/238965

= Removing Additional Permissions Granted to Terminal Services Users =

Article ID: 238965

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q238965



SUMMARY
To allow older programs to run correctly under Terminal Services in Windows 2000, additional permissions are granted to Terminal Services users. This article describes how to remove these additional permissions.



MORE INFORMATION
You can remove the additional permissions by using the Notssid.inf security template in the %SystemRoot%\Security\Templates folder. After you apply the Notssid.inf security template, the system has the same default permissions as a standard Windows 2000-based server, but with Terminal Services enabled. To apply this security template:
 * 1) At a command prompt, type cd /d %systemroot%\security\templates folder, and then press ENTER.
 * 2) Type secedit /configure /db notssid.sdb /cfg notssid.inf [/log notssid.log]/verbose, and then press ENTER

You can restore the default permissions for Terminal Service users (including the default permissions and policies for all users) by using the Defltsv.inf template in the %SystemRoot%\Inf folder. Use the following steps:
 * 1) At a command prompt, type cd /d %systemroot%\inf, and then press ENTER.
 * 2) Type secedit /configure /cfg defltsv.inf /db defltsv.sb /log defltsv.log /verbose, and then press ENTER.

Microsoft recommends that you test security templates that modify file system and registry permissions before implementation on production servers. NOTE: To allow older programs to run correctly under Terminal Services in Windows 2000, additional permissions are granted to Terminal Services users. This is implemented with the TERMINAL SERVER USER group, which has access to certain files, directories and registry keys that normal users do not.

Users logging on to the server interactively will be made a member the TERMINAL SERVER USER group if the Permission Compatibility setting in the Terminal Services Configuration snap-in is 'Permissions compatible with Terminal Server 4.0 users'.

The snap-in manipulates the registry value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\TSUserEnabled (REG_DWORD)

If TSUserEnabled=0x00000001, then all users logging on to a session on the server will be made a member of the TERMINAL SERVER USER group, with greater access to some files, directories and registry keys.

If TSUserEnabled=0x00000000, no-one will be a member of the built-in group, although it will still be visible in the Object Picker.

If you still require the TERMINAL SERVER USER group for administration, you can remove the additional permissions by using the Notssid.inf security template in the %SystemRoot%\Security\Templates folder.

Keywords: kbenv kbinfo kbtermserv KB238965

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.