Categories
All Posts Remote Desktop Hosting Windows 2012 R2

How to create group policies in Server 2012R2 that only affect specified users

You can create local group policies that affect non-administrators only (or even specific users). This can be useful to keep non administrator users from doing things such as:

  • Power off the server
  • See or access certain files
  • Run or not run certain programs
  • See icons
  • Hide or Disable control panel items
  • And much more….

Modifying group policies via gpedit.msc will affect all users including the administrator so don’t apply restrictive policies this way otherwise you can lock out all accounts including the administrator which can’t be reversed (restore from backup is only solution then).  To create an individual group policy that can be applied to a specific user or group, such as all non-administrators, you can do that via mmc.exe as follows:

Create a group policy that affects only certain users:  (don’t change policies via gpedit.msc which will apply to all users include administrators)

  1. Run mmc.exe when logged in as the administrator
  2. It will open screen below and then click File -> “Add/Remove Snap-In”

mmc.exe_and_snap-in

  1. Select “Group Policy Object Editor” under the Available Snap-Ins column, and click Add
  2. Then click BROWSE and can select non-administrators group on the Users tab **** make sure to click browse and change it from just “local computer” to list specific group/users instead.  This will create a Group Policy Object called “Local Computer\Non-Administrators”.  The click finish.

add_snap-in

 

  1. Click OK on the “Add or Remove Snap-ins”  window
  2. Then you can expand on the Local Computer\Non-Administrators Policy header and go to User Configuration to make changes that should then apply only to non-administrators. – See some examples below of group policies you could user – there are a lot of them and this is just a sample.
  3. When finished, go File -> Save As and name it.  You can open this group policy from File -> Open in the future (or save it in a location you will remember like desktop where you can just double-click the .MSC file you saved to open it)  if you need to continue making modifications for this group later (open this file in the future instead of creating a new one)

 

Example of some group policies to consider

Many of these group policies will hide icons or remove access to a program/icon through one method but not necessarily all methods. Enabling some group polices is a good way to limit users’ ability to perform undesired actions but doesn’t result in complete lockdown.  You should always test the actions modified via group policy to verify that the desired result has been obtained.  [If you don’t want to provide a desktop session to users (and don’t need shared folders between users), you could look at having your application automatically start upon login (https://www.RiptideHosting.com/blog/how-to-launch-a-program-automatically-when-logging-into-remote-desktop-server/) (doesn’t work the same way in Server 2016 as in 2012R2) or RemoteApp / RDWeb. – note: RemoteApp requires the server to be joined to a domain]  Group policies vary between Windows Server editions so you may not see all of these.  This is just a small sample of the many group policies available.  There are usually many methods and policies available that could be enabled to get the result you are trying to get.  You should do some research and try various methods.

 

  • User Configuration\Administrative Templates\Control Panel\Hide specified control panel items – to hide control panel items in the control panel window. User canonical names such as Microsoft.WindowsFirewall, etc. Here is a list of canonical names for 2008 R2 which should be similar in 2012 R2: https://msdn.microsoft.com/en-us/library/windows/desktop/ee330741(v=vs.85).aspx
  • User Configuration\Administrative Templates\Control Panel\Prohibit access to control panel and PC settings – user can’t open control panel from start button
  • User Configuration\Administrative Templates\Windows Components\File Explorer\Hide these specified drives in my computer – hides drives in my computer and file explorer. Remember that similar to many other policies, this hides the drives but doesn’t restrict access to them, but see below.
  • User Configuration\Administrative Templates\Windows Components\File Explorer\Prevent access to drives from my computer – will still show contents of drives but should prevent access if double click on c: drive or other drive(s) specified.
  • User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restrict users to the explicitly permitted list of snap-ins – enable to prohibit snap-ins
  • User Configuration\Administrative Templates\System\Prevent access to registry editing tools – removes access to regedit.exe (windows registry editor)
  • User Configuration\Administrative Templates\System\Prevent access to the command prompt – removes access to the command prompt
  • User Configuration\Administrative Templates\System\Don’t run specified Windows applications – to specify programs that can’t be run – for example, if you don’t want Internet Explorer to run, you can type in iexplore.exe in the field.
  • User Configuration\Administrative Templates\Windows Components\Windows Installer – prevent users from using Windows Installer to install updates and upgrades
  • User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the action center icon – will remove the action center icon. There are many other polices listed in this same area to remove various icons, etc. that you can review.
  • User Configuration\Administrative Templates\Windows Components\Windows Updates\Remove access to use all Windows Update features – removes access to Windows Update. You will want to confirm that the Administrator account still has access to Windows Updates and that automatic settings are still enabled and working.
  • User Configuration\Administrative Templates\Start Menu and Taskbar\Remove pinned programs from the taskbar – Hides icons for Server Manager, Powershell and File Explorer

 

Other Comments

  • Although not a group policy, you may want to modify Task Scheduler to disable the Server Manager pop-up at logon. Open Task Scheduler and navigate to below and disable the task. Library\Microsoft\Windows\ServerManager
  • There are also items in gpedit.msc under Computer Configuration (unlike User Configuration which were the items listed above) that you may want to enable that would affect all users such as Remote Desktop Session Time Limits, especially those for disconnected sessions – to prevent disconnection sessions from consuming server resources – https://www.RiptideHosting.com/blog/how-to-set-time-limit-for-disconnected-sessions-windows-server-2012r2/
  • Under gpedit.msc, under Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host…there are many policies you can review.  These would affect all users including the administrator user.  Under Device & Resource Redirection, you can change settings on audio/video playback, clipboard redirection, drive redirection, port redirection, etc.

If you want to remove the shortcuts/icons available to a particular user when they right click on the start button, you can remove them by going to c:\users\[username]\appdata\local\microsoft\windows\winx and deleting the shortcuts showing for that particular user. See link here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/a6bfa211-f5fe-461d-8e09-f6ef3adb8b17/remove-right-click-option-in-ts-2012-r2-start-button?forum=winserverTS

 

Make sure to test your changes to verify that actual results are what you intended!