Enable Remote Desktop in Windows 2003 with ADM template
Windows Server 2003 has the ability to allow two Remote Desktop connections for administrative purposes. This can be enabled by going to the properties of "My Computer", clicking on the "Remote" tab and enabling "Remote Desktop". This can also be enabled on each server individually, using the registry setting below, or by creating a custom ADM template and deploying the setting via Group Policy.
Registry Settings Involved:
Using regedit, navigate to
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server
If the value "fDenyTSConnections" does not exist, create it as a DWORD.
Setting it to 0 will permit remote desktop connections and setting it to 1 will prohibit them.
Below are before and after screenshots of Remote Desktop being enabled.
NOTE: The setting does not become grayed out.
Before the policy setting is applied
After the policy setting is applied This can be deployed via Group Policy by creating an ADM file using the following code. **IMPORTANT** This will be created as a preference, not a policy. To revoke the settings this template performs, you must specifically "Disable" the setting and allow your clients to embrace the settings. This is the only way for clients to purge this registry key. It will not automatically be removed when they fall out of the Scope of Management of the policy. (See our FAQ on SOM: Scope of Management) CLASS MACHINE CATEGORY StartMenu POLICY "Enable Remote Desktop" KEYNAME "SYSTEMCurrentControlSetControlTerminal Server" EXPLAIN "Enabling this setting will allow Remote Desktop Connections to be made to the Server. Disabling this setting will prohibit Remote Desktop Connections from being made to the Server. Setting this to 'Not Configured' will keep the previous registry setting." VALUENAME "fDenyTSConnections" END POLICY END CATEGORY
Custom .adm Template
VALUEON NUMERIC 0
VALUEOFF NUMERIC 1
Can I copy the settings from a GPO to another GPO?
The easiest way to do this is to make a copy of the original GPO, and then rename it. Then you will have a new GPO with all of the settings of the original. To do this, open the GPMC and drill down to the Group Policy Objects node. Right-click over the GPO you want to use, and select Copy. Then, immediately select Paste. It will create a new GPO named “Copy of oldname”. Simply rename it whatever you wish, and you’re in business!
Can I set different password for different OU?
Within the Windows 2000 and Windows 2003 Server operating systems, you can only have one password policy for the entire domain. If you need separate password policies, you will have to create separate domains. However, this does change for Windows Server 2008. Read more about new features in the Microsoft Identity and Access foundation here.