How to Lock Down a Windows 2000 Terminal Server Session

Create a new organizational unit. In order to create a new OU, right-click on the unit you want to recreate and choose "Properties" from the menu. Go to the "Group Policy" tab and choose "New Policy."

Open "Computer Configuration" and select "Admin Templates". Click "System" and then "Group Policy". Put a check by the "User Group Policy loopback processing mode" option and click "OK."

Go to "Computer Configuration" again, choose "Windows Settings," then "Security Settings," select "Local Policies" and "Security Options". Check these settings: "Do not display last user name...," "Restrict CD-ROM access..." and "Restrict floppy access..."

Return to "Computer Configuration" one more time and select "Administrative Templates". Choose "Windows Components" and then "Windows Installer." Put a check next to "Disable Windows Installer" and choose the "Always" option.

Open "User Configuration" and go to "Windows Settings." Choose "Folder Redirection" and put checks next to these options: "Application Data," "Desktop," "My Documents," and "Start Menu."

Open "User Configuration" again. Select "Administrative Templates," "Windows Components" and "Windows Explorer." Check "Remove Map Network Drive...," "Remove Search button...," "Disable Windows Explorer's default context menu," "Hide the Manage item...," "Hide these specified drives..." and select drives A to D, "Prevent access to drives..." and select drives A to D, and "Hide Hardware Tab."

Re-open the "User Configuration" menu and go to "Administrative Templates". Select "Windows Components" and the "Task Scheduler." Check the "Prevent Task Run or End" and "Disable New Task Creation" settings.

Go back to the "User Configuration" menu. This time go to "Administrative Templates" and "Start Menu & Taskbar." The following settings should be checked. "Disable and remove links to Windows Update," "Remove common program groups from Start Menu," "Disable programs on Settings Menu," "Remove Network & Dial-up Connections from Start Menu," "Remove Search menu from Start Menu," "Remove Help menu from Start Menu," "Remove Run menu from Start Menu," "Add Logoff to Start Menu," "Disable changes to Taskbar and Start Menu Settings," and "Remove and prevent access to the Shut Down command."

Return to "User Configuration." Go to "Administrative Templates," then "Desktop." Put checks next to "Hide My Network Places icon on desktop" and "Prohibit user from changing My Documents path."

Open up "User Configuration" again. Select "Administrative Templates" and "Control Panel" this time. Put a check next to "Disable Control Panel."

Return again to "User Configuration" and "Administrative Templates." Choose "System" from the list. Check the settings "Disable the command prompt" and "Disable registry editing tools."

Get in "User Configuration" one last time. Click on "Administrative Templates," then "System," then "Logon/Logoff." Check "Disable Task Manager" and "Disable Lock Computer." With these last settings in place, your terminal server session is completely locked down.