New System Policy Options in Terminal Server (186618)

MORE INFORMATION

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

User Policy Changes

The User policy is implemented by loading settings into the HKEY_CURRENT_USER section of the registry when a user's profile is loaded at logon time. These new settings are REG_DWORD with values of 0x0 (do not apply this policy) or 0x1 (apply the policy). The default is to not apply the policy. The values set in the registry include:

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
   \Policies\Explorer\ 
				

NOTE: The above registry key is one path; it has been wrapped for readability.

Value: NoNtSecurity (REG_DWORD) 0x1 = Hide Windows NT Security menu item

Value: NoDisconnect (REG_DWORD) 0x1 = Hide Disconnect menu item

Value: NoLogoff (REG_DWORD) 0x1 = Hide Logoff menu item

In addition to the Explorer Shell, these policies will also be applied to the Windows NT Security dialog by using CTRL+ALT+DEL on the console or by the Windows NT Security item (or CTRL-ALT-END) in the Start menu from a client. The Logoff and Disconnect buttons will be disabled based on the NoDisconnect and NoLogoff policies.

Another small change includes the removal of the Windows NT Security menu item from the Start menu for the console. This removal is to ensure the console functions like Windows NT Server or Workstation, which requires a user to press CTRL+ALT+DEL to access the Windows NT Security dialog box.

Preventing Users from Changing Global File Associations

In Windows, file types are associated with tools by mapping a file's extension to an executable program (for example, .xls files are associated with Excel.exe). The shell is aware of these file associations and runs Excel when you open an .xls file. The problem on Terminal Server is that these file associations are stored under HKEY_LOCAL_MACHINE, making them "global" associations.

The shell also makes it easy to change these associations through a GUI interface, making it easy for a single user to change an association. Because the associations are global, it is easy for a single user to change the expected behavior of the entire system.

To prevent this problem, Terminal Server includes a user policy that disables the file association functionality in the graphical user interface. This policy is set using System Policy Editor and is located under Default User\Windows NT Shell\Restrictions and is called "Prevent user from changing file type associations."