Recently have had to setup a couple terminal servers and wanted to create a list of standard lock downs that can be added via a Terminal Server lockdown Group Policy Object (GPO).
Terminal Server Lockdown Preparation
1. Open Active Directory Users & Computers
2. Create Organizational Unit (OU) for Terminal Server.
3. Move all terminal servers to this OU.
4. Create Security Group in this OU for users who will use Remote Desktop Host (i.e. Terminal Server Users).
5. Add all users who will use the terminal server as members of this security group. 6. Open Group Policy Management, right click the new Terminal Server OU and “Create a GPO in this domain, and Link it here” (i.e. Terminal Server Lock Down).
7. In Security Filtering delete Authenticated Users, add Terminal Server Users security group created in previous step.
Configure users who can connect to the server remotely:
1. Log into the terminal Server
2. Open Control Panel, open System, click on Remote Settings then click on the Remote tab.
3. Click on Select Users, Remove any groups/users and then Add the Terminal Server Users security group.
Disable Server Manager Pop Up at user log on:
1. On Terminal Server open Task Scheduler.
2. Navigate to Task Scheduler Library\Microsoft\Windows\Server Manager.
3. Disable task “ServerManager” which triggers at log on of any user.
Configure Group Policy for Terminal Server Lock Down: