Discussion:
Removing disconnect option in Policy
(too old to reply)
Rob S
2005-09-01 16:30:43 UTC
Permalink
Hi,

I have a OU called TermServ, and have applied a GPO to this to completely lock
down users who are placed into this OU. I do not want to place the Server into
the OU however.

I realise that by placing the users in there, then only the User Configuration
settings in the GPO are acted upon. Unfortunately there is one thing that is in
Computer Configuration that I really need - namely the ability to remove the
disconnect option, so that all a user can do is Log Off.

Are there any ways around this situation?

many thanks


-Rob
robatwork at mail dot com
Vera Noest [MVP]
2005-09-01 19:35:01 UTC
Permalink
A few remarks:
* I can't imagine why you don't want to link the GPO to the
Terminal Server, but I assume you have a reason. Would be
interesting to know it, though.
* I also assume that you realise that all restrictions in the GPO
linked to the OU which contains the user accounts are also going to
restrict the users when they logon to their workstation

Now for your question: most, if not all, GPO settings have an
equivalent registry key. The setting you need is:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!
NoDisconnect

You can probably get the result you want by changing this registry
key on the server. The effect would be exactly the same as linking
a GPO with that setting to the OU which contains the server, but
you will loose the possibility to apply this setting only to normal
users and not to Administrators, as you can with a GPO.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
Post by Rob S
Hi,
I have a OU called TermServ, and have applied a GPO to this to
completely lock down users who are placed into this OU. I do not
want to place the Server into the OU however.
I realise that by placing the users in there, then only the User
Configuration settings in the GPO are acted upon. Unfortunately
there is one thing that is in Computer Configuration that I
really need - namely the ability to remove the disconnect
option, so that all a user can do is Log Off.
Are there any ways around this situation?
many thanks
-Rob
robatwork at mail dot com
Rob S
2005-09-02 11:51:19 UTC
Permalink
Vera,

Many thanks as ever for taking the time to reply.

On Thu, 01 Sep 2005 12:35:01 -0700, "Vera Noest [MVP]"
<***@remove-this.hem.utfors.se> wrote:

-A few remarks:
-* I can't imagine why you don't want to link the GPO to the
-Terminal Server, but I assume you have a reason. Would be
-interesting to know it, though.

I'm following the MS document Locking Down Windows Server 2003 Terminal Server
Sessions. It outlines 2 methods - one is just user accounts in OU, the other is
the Terminal Server in the OU. Method 1 allows administrator to do things while
the server is in operation - vital for the way we are going to be using this
solution.


-* I also assume that you realise that all restrictions in the GPO
-linked to the OU which contains the user accounts are also going to
-restrict the users when they logon to their workstation

Yep! No problem though as the users are eg. accounts1 accounts2, and the
termserver users are term1 term2 etc - ie just for TS.

I will go look into the reg hack shortly, thanks....

regards



-Rob
robatwork at mail dot com
Rob S
2005-09-02 13:12:28 UTC
Permalink
Just following up - I got rid of disconnect on the menu by changing the default
domain policy. What we'd *ideally* like is the abilty to remove just the X from
the menu bar in Remote Desktop. I know I can get rid of the whole bar, but I'd
like users to be able to minimise the window without resorting to keyboard
shortcuts - they come from a Unix/terminal emulation background....

cheers


-Rob
robatwork at mail dot com

Loading...