2
Windows Shortscuts und ALT-TAB funktionieren nicht in RDP, welches GPO-Setting ist Schuld?
Hi zusammen,
Ich habe momentan folgendes Problem:
Wir haben in unserer Umgebung recht restriktive Maschinenpolicies welche wohl dafür verantwortlich sind , dass User in Ihrer RDP-Session werder ihr Mausrad, noch irgendwelche Windows-Shortcutkeys oder z.B. Alt+Tab benutzen können.
Habe jetzt schon einigte Tests gemacht und bin zu dem Schluss gekommen, dass es nur an der Policy liegen kann, da das Problem nicht auftritt wenn der Rechner nicht in einer der OU's ist auf die die Policy angewendet wird.
Habe euch hier mal den Inhalt der Policy angehängt, vielleicht seht Ihr etwas was ich übersehe.
Danke und Gruss
Peter
Workstations
11:29:13
General
Details
Domain Company.com
Owner Company\Domain Admins
Created 27/05/2008 15:17:50
Modified 17/09/2008 10:57:54
User Revisions 0 (AD), 0 (sysvol)
Computer Revisions 134 (AD), 134 (sysvol)
Unique ID {12BD92C8-57C9-4EEC-842B-081B37AB6794}
GPO Status User settings disabled
Links
Location Enforced Link Status Path
Workstations No Enabled Company.com/Workstations
This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
WMI Filtering
WMI Filter Name None
Description Not applicable
Delegation
These groups and users have the specified permission for this GPO
Name Allowed Permissions Inherited
Company\Enterprise Admins Edit settings, delete, modify security No
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
Company\Domain Admins Edit settings, delete, modify security No
Computer Configuration (Enabled)
Windows Settings
Security Settings
Local Policies/Audit Policy
Policy Setting
Audit account logon events Success, Failure
Audit account management Success, Failure
Audit logon events Success, Failure
Audit object access Failure
Audit policy change Success
Audit privilege use Failure
Audit process tracking No auditing
Audit system events Success
Local Policies/User Rights Assignment
Policy Setting
Access this computer from the network BUILTIN\Administrators
Act as part of the operating system BUILTIN\Administrators
Add workstations to domain BUILTIN\Administrators
Adjust memory quotas for a process NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Allow log on locally BUILTIN\Administrators, Everyone, BUILTIN\Users
Allow log on through Terminal Services
Back up files and directories BUILTIN\Administrators
Bypass traverse checking BUILTIN\Users, BUILTIN\Administrators
Change the system time BUILTIN\Administrators
Create a pagefile BUILTIN\Administrators
Create a token object BUILTIN\Administrators
Create permanent shared objects
Debug programs
Deny access to this computer from the network Support_388945a0, BUILTIN\Guests
Deny log on as a batch job Support_388945a0, BUILTIN\Guests
Deny log on locally Guest, Support_388945a0
Deny log on through Terminal Services Everyone
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system BUILTIN\Administrators
Generate security audits NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Increase scheduling priority BUILTIN\Administrators
Load and unload device drivers company\Domain Users, BUILTIN\Administrators
Lock pages in memory
Log on as a batch job BUILTIN\Administrators
Log on as a service NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, ADMINISTRATOR
Manage auditing and security log BUILTIN\Administrators
Modify firmware environment values BUILTIN\Administrators
Perform volume maintenance tasks BUILTIN\Administrators
Profile single process BUILTIN\Administrators
Profile system performance BUILTIN\Administrators
Remove computer from docking station BUILTIN\Users, BUILTIN\Administrators
Replace a process level token NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Restore files and directories BUILTIN\Administrators
Shut down the system BUILTIN\Users, BUILTIN\Administrators
Take ownership of files or other objects BUILTIN\Administrators
Local Policies/Security Options
Accounts
Policy Setting
Accounts: Administrator account status Enabled
Accounts: Guest account status Disabled
Accounts: Limit local account use of blank passwords to console logon only Enabled
Audit
Policy Setting
Audit: Audit the access of global system objects Disabled
Audit: Audit the use of Backup and Restore privilege Disabled
Devices
Policy Setting
Devices: Allow undock without having to log on Disabled
Devices: Allowed to format and eject removable media Administrators
Devices: Prevent users from installing printer drivers Disabled
Devices: Restrict CD-ROM access to locally logged-on user only Disabled
Devices: Restrict floppy access to locally logged-on user only Disabled
Devices: Unsigned driver installation behavior Warn but allow installation
Domain Member
Policy Setting
Domain member: Digitally encrypt or sign secure channel data (always) Enabled
Domain member: Digitally encrypt secure channel data (when possible) Enabled
Domain member: Digitally sign secure channel data (when possible) Enabled
Domain member: Disable machine account password changes Disabled
Domain member: Maximum machine account password age 30 days
Domain member: Require strong (Windows 2000 or later) session key Enabled
Interactive Logon
Policy Setting
Interactive logon: Do not display last user name Enabled
Interactive logon: Do not require CTRL+ALT+DEL Disabled
Interactive logon: Number of previous logons to cache (in case domain controller is not available) 10 logons
Interactive logon: Prompt user to change password before expiration 14 days
Interactive logon: Require Domain Controller authentication to unlock workstation Disabled
Interactive logon: Smart card removal behavior Lock Workstation
Microsoft Network Client
Policy Setting
Microsoft network client: Digitally sign communications (always) Enabled
Microsoft network client: Digitally sign communications (if server agrees) Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers Disabled
Microsoft Network Server
Policy Setting
Microsoft network server: Amount of idle time required before suspending session 15 minutes
Microsoft network server: Digitally sign communications (always) Enabled
Microsoft network server: Digitally sign communications (if client agrees) Enabled
Network Access
Policy Setting
Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled
Network access: Do not allow storage of credentials or .NET Passports for network authentication Enabled
Network access: Let Everyone permissions apply to anonymous users Disabled
Network access: Named Pipes that can be accessed anonymously COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, browser
Network access: Remotely accessible registry paths System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Control\Server Applications, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Network access: Shares that can be accessed anonymously COMCFG, DFS$
Network access: Sharing and security model for local accounts Classic - local users authenticate as themselves
Network Security
Policy Setting
Network security: Do not store LAN Manager hash value on next password change Enabled
Network security: LDAP client signing requirements Negotiate signing
Recovery Console
Policy Setting
Recovery console: Allow automatic administrative logon Disabled
Recovery console: Allow floppy copy and access to all drives and all folders Disabled
Shutdown
Policy Setting
Shutdown: Allow system to be shut down without having to log on Disabled
Shutdown: Clear virtual memory pagefile Disabled
System Cryptography
Policy Setting
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Disabled
System Objects
Policy Setting
System objects: Default owner for objects created by members of the Administrators group Object creator
System objects: Require case insensitivity for non-Windows subsystems Enabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) Enabled
Registry Values
Policy Setting
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon "1"
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod 0
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun 255
MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot 0
MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode 1
MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel 90
MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt 1
MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden 1
MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand 1
MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\DisableSavePassword 1
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting 2
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect 0
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect 0
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime 300000
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery 0
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect 1
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions 2
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions 3
Event Log
Policy Setting
Maximum application log size 16384 kilobytes
Maximum security log size 81920 kilobytes
Maximum system log size 16384 kilobytes
Prevent local guests group from accessing application log Enabled
Prevent local guests group from accessing security log Enabled
Prevent local guests group from accessing system log Enabled
Retention method for application log As needed
Retention method for security log As needed
Retention method for system log As needed
Restricted Groups
Group Members Member of
BUILTIN\Administrators company\remotesupport, company\company-POWERUSERS-Global, company\Domain Admins
BUILTIN\Backup Operators
BUILTIN\Power Users company\saempirum
BUILTIN\Remote Desktop Users
System Services
Alerter (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Computer Browser (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Indexing Service (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
ClipBook (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Fax (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
IISADMIN (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Messenger (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
NetMeeting Remote Desktop Sharing (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
MSFtpsvc (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Remote Desktop Help Session Manager (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Routing and Remote Access (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Task Scheduler (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
SNMP (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
SNMPTRAP (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
SSDP Discovery Service (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Terminal Services (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Telnet (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Universal Plug and Play Device Host (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
W3SVC (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
File System
%SystemDrive%\
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
Type Name Permission Apply To
Allow BUILTIN\Administrators Full Control This folder, subfolders and files
Allow CREATOR OWNER Full Control Subfolders and files only
Allow Company\Domain Users Read and Execute This folder, subfolders and files
Allow NT AUTHORITY\SYSTEM Full Control This folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objects Disabled
Auditing
No auditing specified
Public Key Policies/Autoenrollment Settings
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Disabled
Update certificates that use certificate templates Disabled
Public Key Policies/Encrypting File System
Properties
Policy Setting
Allow users to encrypt files using Encrypting File System (EFS) Enabled
Public Key Policies/Trusted Root Certification Authorities
Properties
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only
Certificates
Issued To Issued By Expiration Date Intended Purposes
xxxxxxxxxx.xxxxxxxxxxxxxxxxx.com xxxxxxxxx.xxxxxxxxxxxxxxxxx.com 21/06/2014 18:17:37 <All>
For additional information about individual settings, launch Group Policy Object Editor.
Software Restriction Policies
Enforcement
Policy Setting
Apply software restriction policies to All software files except libraries (such as DLLs)
Apply software restriction policies to the following users All users except local administrators
Designated File Types
File Extension File Type
ADE ADE File
ADP ADP File
BAS BAS File
BAT MS-DOS Batch File
CHM Compiled HTML Help file
CMD Windows NT Command Script
COM MS-DOS Application
CPL Control Panel extension
CRT Security Certificate
EXE Application
HLP Help File
HTA HTML Application
INF Setup Information
INS Internet Communication Settings
ISP Internet Communication Settings
LNK Shortcut
MDB MDB File
MDE MDE File
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST MST File
OCX ActiveX Control
PCD Photo CD Image
PIF Shortcut to MS-DOS Program
REG Registration Entries
SCR Screen Saver
SHS Scrap object
URL Internet Shortcut
VB VB File
WSC Windows Script Component
Trusted Publishers
Allow the following users to select trusted publishers End users
Before trusting a publisher, check the following to determine if the certificate is revoked None
Software Restriction Policies/Security Levels
Policy Setting
Default Security Level Unrestricted
Software Restriction Policies/Additional Rules
Path Rules
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Security Level Unrestricted
Description
Date last modified 02/06/2008 16:40:29
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
Security Level Unrestricted
Description
Date last modified 02/06/2008 16:40:29
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe
Security Level Unrestricted
Description
Date last modified 02/06/2008 16:40:29
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Security Level Unrestricted
Description
Date last modified 02/06/2008 16:40:29
Administrative Templates
Network/Network Connections
Policy Setting
Prohibit installation and configuration of Network Bridge on your DNS domain network Enabled
Prohibit use of Internet Connection Sharing on your DNS domain network Enabled
Network/Network Connections/Windows Firewall/Domain Profile
Policy Setting
Windows Firewall: Protect all network connections Disabled
Network/Network Connections/Windows Firewall/Standard Profile
Policy Setting
Windows Firewall: Protect all network connections Disabled
Network/Offline Files
Policy Setting
Allow or Disallow use of the Offline Files feature Disabled
Printers
Policy Setting
Allow printers to be published Disabled
Web-based printing Disabled
System/Error Reporting
Policy Setting
Configure Error Reporting Disabled
Display Error Notification Enabled
System/Group Policy
Policy Setting
Group Policy refresh interval for computers Enabled
This setting allows you to customize how often Group Policy is applied
to computers. The range is 0 to 64800 minutes (45 days).
Minutes: 1440
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 7
System/Internet Communication Management/Internet Communication settings
Policy Setting
Turn off Internet download for Web publishing and online ordering wizards Enabled
Turn off Internet File Association service Enabled
Turn off the "Order Prints" picture task Enabled
Turn off the "Publish to Web" task for files and folders Enabled
Turn off the Windows Messenger Customer Experience Improvement Program Enabled
Turn off Windows Error Reporting Enabled
Turn off Windows Movie Maker automatic codec downloads Enabled
Turn off Windows Movie Maker online Web links Enabled
Turn off Windows Movie Maker saving to online video hosting provider Enabled
System/Logon
Policy Setting
Always use classic logon Enabled
Always wait for the network at computer startup and logon Enabled
Don't display the Getting Started welcome screen at logon Enabled
System/Net Logon
Policy Setting
Expected dial-up delay on logon Enabled
Seconds: 25
Policy Setting
Maximum Log File Size Enabled
Bytes: 536936438
System/Remote Assistance
Policy Setting
Offer Remote Assistance Disabled
Solicited Remote Assistance Disabled
System/System Restore
Policy Setting
Turn off Configuration Enabled
Turn off System Restore Enabled
Windows Components/Internet Explorer
Policy Setting
Disable Periodic Check for Internet Explorer software updates Enabled
Disable showing the splash screen Enabled
Disable software update shell notifications on program launch Enabled
Do not allow users to enable or disable add-ons Enabled
Security Zones: Do not allow users to change policies Enabled
Windows Components/Internet Explorer/Internet Control Panel
Policy Setting
Disable the Advanced page Enabled
Windows Components/Internet Information Services
Policy Setting
Prevent IIS installation Enabled
Windows Components/NetMeeting
Policy Setting
Disable remote Desktop Sharing Enabled
Windows Components/Task Scheduler
Policy Setting
Hide Advanced Properties Checkbox in Add Scheduled Task Wizard Enabled
Hide Property Pages Enabled
Prevent Task Run or End Enabled
Prohibit Browse Enabled
Prohibit Drag-and-Drop Enabled
Prohibit New Task Creation Enabled
Prohibit Task Deletion Enabled
Windows Components/Windows Installer
Policy Setting
Prohibit removal of updates Enabled
Windows Components/Windows Media Digital Rights Management
Policy Setting
Prevent Windows Media DRM Internet Access Enabled
Windows Components/Windows Media Player
Policy Setting
Do Not Show First Use Dialog Boxes Enabled
Prevent Automatic Updates Enabled
Prevent Desktop Shortcut Creation Enabled
Prevent Quick Launch Toolbar Shortcut Creation Enabled
Windows Components/Windows Messenger
Policy Setting
Do not allow Windows Messenger to be run Enabled
Do not automatically start Windows Messenger initially Enabled
Windows Components/Windows Movie Maker
Policy Setting
Do not allow Windows Movie Maker to run Enabled
Windows Components/Windows Update
Policy Setting
Re-prompt for restart with scheduled installations Enabled
Wait the following period before
prompting again with a scheduled
restart (minutes): 60
User Configuration (Disabled)
No settings defined.
Ich habe momentan folgendes Problem:
Wir haben in unserer Umgebung recht restriktive Maschinenpolicies welche wohl dafür verantwortlich sind , dass User in Ihrer RDP-Session werder ihr Mausrad, noch irgendwelche Windows-Shortcutkeys oder z.B. Alt+Tab benutzen können.
Habe jetzt schon einigte Tests gemacht und bin zu dem Schluss gekommen, dass es nur an der Policy liegen kann, da das Problem nicht auftritt wenn der Rechner nicht in einer der OU's ist auf die die Policy angewendet wird.
Habe euch hier mal den Inhalt der Policy angehängt, vielleicht seht Ihr etwas was ich übersehe.
Danke und Gruss
Peter
Workstations
11:29:13
General
Details
Domain Company.com
Owner Company\Domain Admins
Created 27/05/2008 15:17:50
Modified 17/09/2008 10:57:54
User Revisions 0 (AD), 0 (sysvol)
Computer Revisions 134 (AD), 134 (sysvol)
Unique ID {12BD92C8-57C9-4EEC-842B-081B37AB6794}
GPO Status User settings disabled
Links
Location Enforced Link Status Path
Workstations No Enabled Company.com/Workstations
This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
WMI Filtering
WMI Filter Name None
Description Not applicable
Delegation
These groups and users have the specified permission for this GPO
Name Allowed Permissions Inherited
Company\Enterprise Admins Edit settings, delete, modify security No
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
Company\Domain Admins Edit settings, delete, modify security No
Computer Configuration (Enabled)
Windows Settings
Security Settings
Local Policies/Audit Policy
Policy Setting
Audit account logon events Success, Failure
Audit account management Success, Failure
Audit logon events Success, Failure
Audit object access Failure
Audit policy change Success
Audit privilege use Failure
Audit process tracking No auditing
Audit system events Success
Local Policies/User Rights Assignment
Policy Setting
Access this computer from the network BUILTIN\Administrators
Act as part of the operating system BUILTIN\Administrators
Add workstations to domain BUILTIN\Administrators
Adjust memory quotas for a process NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Allow log on locally BUILTIN\Administrators, Everyone, BUILTIN\Users
Allow log on through Terminal Services
Back up files and directories BUILTIN\Administrators
Bypass traverse checking BUILTIN\Users, BUILTIN\Administrators
Change the system time BUILTIN\Administrators
Create a pagefile BUILTIN\Administrators
Create a token object BUILTIN\Administrators
Create permanent shared objects
Debug programs
Deny access to this computer from the network Support_388945a0, BUILTIN\Guests
Deny log on as a batch job Support_388945a0, BUILTIN\Guests
Deny log on locally Guest, Support_388945a0
Deny log on through Terminal Services Everyone
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system BUILTIN\Administrators
Generate security audits NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Increase scheduling priority BUILTIN\Administrators
Load and unload device drivers company\Domain Users, BUILTIN\Administrators
Lock pages in memory
Log on as a batch job BUILTIN\Administrators
Log on as a service NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, ADMINISTRATOR
Manage auditing and security log BUILTIN\Administrators
Modify firmware environment values BUILTIN\Administrators
Perform volume maintenance tasks BUILTIN\Administrators
Profile single process BUILTIN\Administrators
Profile system performance BUILTIN\Administrators
Remove computer from docking station BUILTIN\Users, BUILTIN\Administrators
Replace a process level token NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Restore files and directories BUILTIN\Administrators
Shut down the system BUILTIN\Users, BUILTIN\Administrators
Take ownership of files or other objects BUILTIN\Administrators
Local Policies/Security Options
Accounts
Policy Setting
Accounts: Administrator account status Enabled
Accounts: Guest account status Disabled
Accounts: Limit local account use of blank passwords to console logon only Enabled
Audit
Policy Setting
Audit: Audit the access of global system objects Disabled
Audit: Audit the use of Backup and Restore privilege Disabled
Devices
Policy Setting
Devices: Allow undock without having to log on Disabled
Devices: Allowed to format and eject removable media Administrators
Devices: Prevent users from installing printer drivers Disabled
Devices: Restrict CD-ROM access to locally logged-on user only Disabled
Devices: Restrict floppy access to locally logged-on user only Disabled
Devices: Unsigned driver installation behavior Warn but allow installation
Domain Member
Policy Setting
Domain member: Digitally encrypt or sign secure channel data (always) Enabled
Domain member: Digitally encrypt secure channel data (when possible) Enabled
Domain member: Digitally sign secure channel data (when possible) Enabled
Domain member: Disable machine account password changes Disabled
Domain member: Maximum machine account password age 30 days
Domain member: Require strong (Windows 2000 or later) session key Enabled
Interactive Logon
Policy Setting
Interactive logon: Do not display last user name Enabled
Interactive logon: Do not require CTRL+ALT+DEL Disabled
Interactive logon: Number of previous logons to cache (in case domain controller is not available) 10 logons
Interactive logon: Prompt user to change password before expiration 14 days
Interactive logon: Require Domain Controller authentication to unlock workstation Disabled
Interactive logon: Smart card removal behavior Lock Workstation
Microsoft Network Client
Policy Setting
Microsoft network client: Digitally sign communications (always) Enabled
Microsoft network client: Digitally sign communications (if server agrees) Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers Disabled
Microsoft Network Server
Policy Setting
Microsoft network server: Amount of idle time required before suspending session 15 minutes
Microsoft network server: Digitally sign communications (always) Enabled
Microsoft network server: Digitally sign communications (if client agrees) Enabled
Network Access
Policy Setting
Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled
Network access: Do not allow storage of credentials or .NET Passports for network authentication Enabled
Network access: Let Everyone permissions apply to anonymous users Disabled
Network access: Named Pipes that can be accessed anonymously COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, browser
Network access: Remotely accessible registry paths System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Control\Server Applications, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Network access: Shares that can be accessed anonymously COMCFG, DFS$
Network access: Sharing and security model for local accounts Classic - local users authenticate as themselves
Network Security
Policy Setting
Network security: Do not store LAN Manager hash value on next password change Enabled
Network security: LDAP client signing requirements Negotiate signing
Recovery Console
Policy Setting
Recovery console: Allow automatic administrative logon Disabled
Recovery console: Allow floppy copy and access to all drives and all folders Disabled
Shutdown
Policy Setting
Shutdown: Allow system to be shut down without having to log on Disabled
Shutdown: Clear virtual memory pagefile Disabled
System Cryptography
Policy Setting
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Disabled
System Objects
Policy Setting
System objects: Default owner for objects created by members of the Administrators group Object creator
System objects: Require case insensitivity for non-Windows subsystems Enabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) Enabled
Registry Values
Policy Setting
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon "1"
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod 0
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun 255
MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot 0
MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode 1
MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel 90
MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt 1
MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden 1
MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand 1
MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\DisableSavePassword 1
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting 2
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect 0
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect 0
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime 300000
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery 0
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect 1
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions 2
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions 3
Event Log
Policy Setting
Maximum application log size 16384 kilobytes
Maximum security log size 81920 kilobytes
Maximum system log size 16384 kilobytes
Prevent local guests group from accessing application log Enabled
Prevent local guests group from accessing security log Enabled
Prevent local guests group from accessing system log Enabled
Retention method for application log As needed
Retention method for security log As needed
Retention method for system log As needed
Restricted Groups
Group Members Member of
BUILTIN\Administrators company\remotesupport, company\company-POWERUSERS-Global, company\Domain Admins
BUILTIN\Backup Operators
BUILTIN\Power Users company\saempirum
BUILTIN\Remote Desktop Users
System Services
Alerter (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Computer Browser (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Indexing Service (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
ClipBook (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Fax (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
IISADMIN (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Messenger (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
NetMeeting Remote Desktop Sharing (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
MSFtpsvc (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Remote Desktop Help Session Manager (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Routing and Remote Access (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Task Scheduler (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
SNMP (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
SNMPTRAP (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
SSDP Discovery Service (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Terminal Services (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Telnet (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Universal Plug and Play Device Host (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
W3SVC (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
File System
%SystemDrive%\
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
Type Name Permission Apply To
Allow BUILTIN\Administrators Full Control This folder, subfolders and files
Allow CREATOR OWNER Full Control Subfolders and files only
Allow Company\Domain Users Read and Execute This folder, subfolders and files
Allow NT AUTHORITY\SYSTEM Full Control This folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objects Disabled
Auditing
No auditing specified
Public Key Policies/Autoenrollment Settings
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Disabled
Update certificates that use certificate templates Disabled
Public Key Policies/Encrypting File System
Properties
Policy Setting
Allow users to encrypt files using Encrypting File System (EFS) Enabled
Public Key Policies/Trusted Root Certification Authorities
Properties
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only
Certificates
Issued To Issued By Expiration Date Intended Purposes
xxxxxxxxxx.xxxxxxxxxxxxxxxxx.com xxxxxxxxx.xxxxxxxxxxxxxxxxx.com 21/06/2014 18:17:37 <All>
For additional information about individual settings, launch Group Policy Object Editor.
Software Restriction Policies
Enforcement
Policy Setting
Apply software restriction policies to All software files except libraries (such as DLLs)
Apply software restriction policies to the following users All users except local administrators
Designated File Types
File Extension File Type
ADE ADE File
ADP ADP File
BAS BAS File
BAT MS-DOS Batch File
CHM Compiled HTML Help file
CMD Windows NT Command Script
COM MS-DOS Application
CPL Control Panel extension
CRT Security Certificate
EXE Application
HLP Help File
HTA HTML Application
INF Setup Information
INS Internet Communication Settings
ISP Internet Communication Settings
LNK Shortcut
MDB MDB File
MDE MDE File
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST MST File
OCX ActiveX Control
PCD Photo CD Image
PIF Shortcut to MS-DOS Program
REG Registration Entries
SCR Screen Saver
SHS Scrap object
URL Internet Shortcut
VB VB File
WSC Windows Script Component
Trusted Publishers
Allow the following users to select trusted publishers End users
Before trusting a publisher, check the following to determine if the certificate is revoked None
Software Restriction Policies/Security Levels
Policy Setting
Default Security Level Unrestricted
Software Restriction Policies/Additional Rules
Path Rules
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Security Level Unrestricted
Description
Date last modified 02/06/2008 16:40:29
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
Security Level Unrestricted
Description
Date last modified 02/06/2008 16:40:29
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe
Security Level Unrestricted
Description
Date last modified 02/06/2008 16:40:29
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Security Level Unrestricted
Description
Date last modified 02/06/2008 16:40:29
Administrative Templates
Network/Network Connections
Policy Setting
Prohibit installation and configuration of Network Bridge on your DNS domain network Enabled
Prohibit use of Internet Connection Sharing on your DNS domain network Enabled
Network/Network Connections/Windows Firewall/Domain Profile
Policy Setting
Windows Firewall: Protect all network connections Disabled
Network/Network Connections/Windows Firewall/Standard Profile
Policy Setting
Windows Firewall: Protect all network connections Disabled
Network/Offline Files
Policy Setting
Allow or Disallow use of the Offline Files feature Disabled
Printers
Policy Setting
Allow printers to be published Disabled
Web-based printing Disabled
System/Error Reporting
Policy Setting
Configure Error Reporting Disabled
Display Error Notification Enabled
System/Group Policy
Policy Setting
Group Policy refresh interval for computers Enabled
This setting allows you to customize how often Group Policy is applied
to computers. The range is 0 to 64800 minutes (45 days).
Minutes: 1440
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 7
System/Internet Communication Management/Internet Communication settings
Policy Setting
Turn off Internet download for Web publishing and online ordering wizards Enabled
Turn off Internet File Association service Enabled
Turn off the "Order Prints" picture task Enabled
Turn off the "Publish to Web" task for files and folders Enabled
Turn off the Windows Messenger Customer Experience Improvement Program Enabled
Turn off Windows Error Reporting Enabled
Turn off Windows Movie Maker automatic codec downloads Enabled
Turn off Windows Movie Maker online Web links Enabled
Turn off Windows Movie Maker saving to online video hosting provider Enabled
System/Logon
Policy Setting
Always use classic logon Enabled
Always wait for the network at computer startup and logon Enabled
Don't display the Getting Started welcome screen at logon Enabled
System/Net Logon
Policy Setting
Expected dial-up delay on logon Enabled
Seconds: 25
Policy Setting
Maximum Log File Size Enabled
Bytes: 536936438
System/Remote Assistance
Policy Setting
Offer Remote Assistance Disabled
Solicited Remote Assistance Disabled
System/System Restore
Policy Setting
Turn off Configuration Enabled
Turn off System Restore Enabled
Windows Components/Internet Explorer
Policy Setting
Disable Periodic Check for Internet Explorer software updates Enabled
Disable showing the splash screen Enabled
Disable software update shell notifications on program launch Enabled
Do not allow users to enable or disable add-ons Enabled
Security Zones: Do not allow users to change policies Enabled
Windows Components/Internet Explorer/Internet Control Panel
Policy Setting
Disable the Advanced page Enabled
Windows Components/Internet Information Services
Policy Setting
Prevent IIS installation Enabled
Windows Components/NetMeeting
Policy Setting
Disable remote Desktop Sharing Enabled
Windows Components/Task Scheduler
Policy Setting
Hide Advanced Properties Checkbox in Add Scheduled Task Wizard Enabled
Hide Property Pages Enabled
Prevent Task Run or End Enabled
Prohibit Browse Enabled
Prohibit Drag-and-Drop Enabled
Prohibit New Task Creation Enabled
Prohibit Task Deletion Enabled
Windows Components/Windows Installer
Policy Setting
Prohibit removal of updates Enabled
Windows Components/Windows Media Digital Rights Management
Policy Setting
Prevent Windows Media DRM Internet Access Enabled
Windows Components/Windows Media Player
Policy Setting
Do Not Show First Use Dialog Boxes Enabled
Prevent Automatic Updates Enabled
Prevent Desktop Shortcut Creation Enabled
Prevent Quick Launch Toolbar Shortcut Creation Enabled
Windows Components/Windows Messenger
Policy Setting
Do not allow Windows Messenger to be run Enabled
Do not automatically start Windows Messenger initially Enabled
Windows Components/Windows Movie Maker
Policy Setting
Do not allow Windows Movie Maker to run Enabled
Windows Components/Windows Update
Policy Setting
Re-prompt for restart with scheduled installations Enabled
Wait the following period before
prompting again with a scheduled
restart (minutes): 60
User Configuration (Disabled)
No settings defined.
Share on Facebook
Share on Twitter
Share on Reddit
Share on LinkedinPlease also mark the comments that contributed to the solution of the article
Content-Key: 99154
Url: https://administrator.de/contentid/99154
Printed on: April 25, 2024 at 20:04 o'clock
2 Comments
Latest comment
Hi pdieser,
Äääähm... verlangst Du, dass wir uns jetzt hier durchwühlen *kopfschüttel*
Probiere bitte erst mal Folgendes:
Start --> Ausführen --> mstsc [Enter]
Optionen --> Lokale Ressourcen und dann schau mal in den Bereich Tastatur...
Fällt etwas auf? (Die Oberfläche vom Remotedesktop kann von der Version her abweichen... Vielleicht bringt auch schon eine Aktualisierung etwas...)
Gruß
Markus
Äääähm... verlangst Du, dass wir uns jetzt hier durchwühlen *kopfschüttel*
Probiere bitte erst mal Folgendes:
Start --> Ausführen --> mstsc [Enter]
Optionen --> Lokale Ressourcen und dann schau mal in den Bereich Tastatur...
Fällt etwas auf? (Die Oberfläche vom Remotedesktop kann von der Version her abweichen... Vielleicht bringt auch schon eine Aktualisierung etwas...)
Gruß
Markus
Hi,
Ja habe ich schon probiert. Wie bereits erwähnt: Es liegt definitiv an der Policy. Deswegen hängt sie ja auch an dem Post...
IMO(und auch soweit gefunden Googles Opinion), hängt kein Policy Setting direkt an einer Einstellung die dieses Verhalten auslösen kann. Es gibt wohl einen Regkey den man setzen kann um die Windows-Shortcuts zu deaktivieren. Dieser steht jedoch auf aktiviert.
Ja habe ich schon probiert. Wie bereits erwähnt: Es liegt definitiv an der Policy. Deswegen hängt sie ja auch an dem Post...
IMO(und auch soweit gefunden Googles Opinion), hängt kein Policy Setting direkt an einer Einstellung die dieses Verhalten auslösen kann. Es gibt wohl einen Regkey den man setzen kann um die Windows-Shortcuts zu deaktivieren. Dieser steht jedoch auf aktiviert.
