A. To allow older programs to work with Terminal services additional privileges are granted however its possible to remove these additional permissions.

Windows 2000 provides two additional security templates, notssid.inf and defltsv.inf are supplied, the first removes the additional permissions and the second sets back to the default.

To disable:

  1. Start the command prompt session (cmd.exe)
  2. Move to %systemroot%\security\templates folder
    C:\> cd /d %systemroot%\security\templates
  3. Implement the notssid.inf information file
    C:\> secedit /configure /db notssid.sb /cfg notssid.inf /verbose

To set back to the default:

  1. Start the command prompt session (cmd.exe)
  2. Move to %systemroot%\inf folder
    C:\> cd /d %systemroot%\inf
  3. Implement the defltsv.inf information file
    C:\> secedit /configure /cfg defltsv.inf /db defltsv.sb /log defltsv.log /verbose

You can also directly edit the registry to stop users being a member of a dynamic, group TERMINAL SERVER USER when connecting via Terminal services to stop them getting the extra permissions:

  1. Start the registry editor (Regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
  3. Double click TSUserEnabled
  4. Set to 1 so that all users logging on via Terminal Services are made members of the 'TERMINAL SERVER USER' group or set to 0 so they are not
  5. Click OK