Article ID: 238965 - View products that this article applies to.
This article was previously published under Q238965
To allow older programs to run correctly under Terminal Services in Windows 2000, additional permissions are granted to Terminal Services users. This article describes how to remove these additional permissions.
You can remove the additional permissions by using the Notssid.inf security template in the %SystemRoot%\Security\Templates folder. After you apply the Notssid.inf security template, the system has the same default permissions as a standard Windows 2000-based server, but with Terminal Services enabled. To apply this security template:
Users logging on to the server interactively will be made a member the TERMINAL SERVER USER group if the Permission Compatibility setting in the Terminal Services Configuration snap-in is 'Permissions compatible with Terminal Server 4.0 users'.
The snap-in manipulates the registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\TSUserEnabled (REG_DWORD)If TSUserEnabled=0x00000001, then all users logging on to a session on the server will be made a member of the TERMINAL SERVER USER group, with greater access to some files, directories and registry keys.
If TSUserEnabled=0x00000000, no-one will be a member of the built-in group, although it will still be visible in the Object Picker.
If you still require the TERMINAL SERVER USER group for administration, you can remove the additional permissions by using the Notssid.inf security template in the %SystemRoot%\Security\Templates folder.