locked
How do I disable Task Manager for users only RRS feed

  • Question

  • Hello -

    I have an application on a 2008 R2 server which I allow people from all over the USA to access via RD.  They go right to my application when they logon to the session so they never see a Desktop (I don't want them to!) and when they close the application the session ends.

    I certainly don't want them to be able to launch Task Manager but with ctrl+alt+end they can open it.  I disabled using local group policy editor but found that me as administrator is locked out of Task Manger as well.  I need to have access to TM as administrator to monitor the system as well as to shadow users.  I can't even risk enabling for even a short time if I would want to shadow someone. 

    How can I disable TM for the normal users while keeping that capability for me as administrator?  Is there another sneaky way they can get to the Desktop or TM which I need to address?  Thanks very much.

    martyderm

    Tuesday, April 24, 2012 2:04 AM

Answers

  • Hi,

    “Multiple Local Group Policy objects (MLGPOs) are not available on domain controllers”, it’s by design. So we can’t use MLGPOs in a Domain Controller environment.

    Since this server is a DC, so you can use Domain Group Policy.

    1. Create a GPO and link it to your DC OU

    2. Configure User Configuration-->Policies-->Administrative Templates-->System-->Ctrl+Alt+Del Option-->Remove Task Manager-->Enable

    Configure Computer Configuration-->Policies-->Administrative Templates-->System-->Group Policy-->User Group Policy loopback processing mode-->Enable-->Mode: Merge

    3. Filter Domain Admin: GPO-->Delegation tab-->Advanced-->Select Domain Admin Group-->select Deny Apply Group Policy checkbox

    Since “Remove Task Manager” is user configuration, so we set it with loopback merge mode and link the GPO to DC OU. All users who logon to the server will apply this Group Policy, except Domain Admin.

    For more information please refer to following MS articles:

    How to prevent domain Group Policies from applying to certain user or computer accounts
    http://support.microsoft.com/kb/816100
    Loopback processing with merge or replace
    http://technet.microsoft.com/en-us/library/cc782810(v=WS.10).aspx


    Lawrence

    TechNet Community Support

    • Marked as answer by martyderm Wednesday, April 25, 2012 11:57 AM
    Wednesday, April 25, 2012 3:22 AM

  • Hi,

    You enabled “Remove Task Manager” policy setting at Local Group Policy, the setting will apply to all logged on uses.

    You may try Multiple Local Group Policy feature introduced in Windows Server 2008.

    Multiple Local Group Policy consists of the following LGOPs:

    • Local      Computer Policy. This LGPO applies policy settings to the computer and any      users logging on to the computer. This is the same LGPO that was included      in earlier versions of Microsoft Windows.
    • Administrators      Local Group Policy. This LGPO applies user policy settings to members of      the Administrators group.
    • Non-Administrators      Local Group Policy. This LGPO applies user policy settings to users who      are not included in the Administrators group.
    • User-Specific      Local Group Policy. This LGPO applies user policy settings to a specific      local user.

    Local Group Policy is processed in the following order, with the final LGPO taking precedence over all others:

    1. Local Group Policy (also known as Local Computer Policy).

    2. Administrators or non-administrators Local Group Policy.

    3. User-specific Local Group Policy.

    So you can configure local Group Policy to disable Task Manager for Non-Administrators.

    For more information please refer to following MS articles:

    Edit Multiple Local Group Policy
    http://technet.microsoft.com/en-us/library/cc731758.aspx
    Step-by-Step Guide to Managing Multiple Local Group Policy Objects
    http://technet.microsoft.com/en-us/library/cc766291(v=WS.10).aspx

    Lawrence

    TechNet Community Support

    • Marked as answer by Lawrence, Thursday, April 26, 2012 1:04 AM
    Tuesday, April 24, 2012 6:43 AM

All replies


  • Hi,

    You enabled “Remove Task Manager” policy setting at Local Group Policy, the setting will apply to all logged on uses.

    You may try Multiple Local Group Policy feature introduced in Windows Server 2008.

    Multiple Local Group Policy consists of the following LGOPs:

    • Local      Computer Policy. This LGPO applies policy settings to the computer and any      users logging on to the computer. This is the same LGPO that was included      in earlier versions of Microsoft Windows.
    • Administrators      Local Group Policy. This LGPO applies user policy settings to members of      the Administrators group.
    • Non-Administrators      Local Group Policy. This LGPO applies user policy settings to users who      are not included in the Administrators group.
    • User-Specific      Local Group Policy. This LGPO applies user policy settings to a specific      local user.

    Local Group Policy is processed in the following order, with the final LGPO taking precedence over all others:

    1. Local Group Policy (also known as Local Computer Policy).

    2. Administrators or non-administrators Local Group Policy.

    3. User-specific Local Group Policy.

    So you can configure local Group Policy to disable Task Manager for Non-Administrators.

    For more information please refer to following MS articles:

    Edit Multiple Local Group Policy
    http://technet.microsoft.com/en-us/library/cc731758.aspx
    Step-by-Step Guide to Managing Multiple Local Group Policy Objects
    http://technet.microsoft.com/en-us/library/cc766291(v=WS.10).aspx

    Lawrence

    TechNet Community Support

    • Marked as answer by Lawrence, Thursday, April 26, 2012 1:04 AM
    Tuesday, April 24, 2012 6:43 AM
  • Hello-

    Thank you for your prompt reply.

    In following the instructions for  Edit Multiple Local Group Policy  http://technet.microsoft.com/en-us/library/cc731758.aspx as outlined above, when I get to the 'Browse for a Group Policy Object' dialog box, there is no User tab, only a Computers tab.

    Stated in the article is 'Multiple Local Group Policy objects (MLGPOs) are not available on domain controllers.'  That being the case, how would I make the desired settings in a domain controller environment?  These articles would have been perfect but it seems they aren't functional with my setup.  Thanks very much.

    martyderm

    Tuesday, April 24, 2012 12:23 PM
  • Hi,

    “Multiple Local Group Policy objects (MLGPOs) are not available on domain controllers”, it’s by design. So we can’t use MLGPOs in a Domain Controller environment.

    Since this server is a DC, so you can use Domain Group Policy.

    1. Create a GPO and link it to your DC OU

    2. Configure User Configuration-->Policies-->Administrative Templates-->System-->Ctrl+Alt+Del Option-->Remove Task Manager-->Enable

    Configure Computer Configuration-->Policies-->Administrative Templates-->System-->Group Policy-->User Group Policy loopback processing mode-->Enable-->Mode: Merge

    3. Filter Domain Admin: GPO-->Delegation tab-->Advanced-->Select Domain Admin Group-->select Deny Apply Group Policy checkbox

    Since “Remove Task Manager” is user configuration, so we set it with loopback merge mode and link the GPO to DC OU. All users who logon to the server will apply this Group Policy, except Domain Admin.

    For more information please refer to following MS articles:

    How to prevent domain Group Policies from applying to certain user or computer accounts
    http://support.microsoft.com/kb/816100
    Loopback processing with merge or replace
    http://technet.microsoft.com/en-us/library/cc782810(v=WS.10).aspx


    Lawrence

    TechNet Community Support

    • Marked as answer by martyderm Wednesday, April 25, 2012 11:57 AM
    Wednesday, April 25, 2012 3:22 AM
  • My sincere thanks to you - I was able to get that to work perfectly.

    martyderm
    Thursday, April 26, 2012 12:46 AM
  • My sincere thanks to you - I was able to get that to work perfectly.

    martyderm

    Can you explain how you did that?


    Thanks.

    Wednesday, September 19, 2012 10:17 PM