Configuring Terminal Services Shutdown and log off

I want to achieve this:

When someone uses Terminal Services to access a server, I want the Start menu to ALWAYS show the "Log off username..." option and NEVER show "Shut Down..." option.  I need the "Log off username..." option to appear even if the user has not selected the checkbox on the Start Menu Properties.  I know how to do this...

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoClose"=dword:00000001

however....

If a user logins in locally (i.e. at the machine console), I WANT the Shut Down option to be available.  I NEED to be able to Shut Down by CRTL-ALT-DEL at least...

Question 1: If I disable the Shut Down on the Start button as above; is there any other TS Shut Down option that I need to disable?

Question 2: How do I set a policy or Registry hack (or script) to always show the "Log off username..." option on the Start button?


Points go to whomever communicates the process for this setup explicitly and so that it works...it's a couple of questions, but the points bounty is high...


Thanks

Geezer
mgeiserAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

webwackrCommented:
Always more than one way to skin a cat, but try this:

Open the Users and Computers MMC within Active Directory
(Start>Settings>Control Panel>Administrative Tools>Active Directory Users and Computers)

Create a new OU (right-click in the left pane of the active window and click New>Organization Unit)
Rename the new OU to something (ie "TS Access")
Right-click "TS Access" and select Properties
Click on the Group Policy tab and click New
Rename the policy to something (ie "TS Restrict Policy")
Highlight "TS Restrict Policy" and click Edit

In the left pane, navigate:
(User Configuration>Administrative Templates>Windows Components>Start Menu and Taskbar)
In the right pane, double-click the key "Add logoff to the start menu"
Select ENABLED then click OK (this FORCES the logoff option to appear in the start menu)
next double-click on the key "Remove and prevent access to the Shutdown command"
Select ENABLED then click OK (this removes the shutdown option from the start menu)

Close the active window (Group Policy Editor)
Highlight your new policy named TS Access" and click on Properties
At the bottom of the dialog box, check off BOTH boxes that say "Disable Computer Configs" AND "Disable User Configs" then click OK. (this disables all NON-defined portions of your new policy and improves the performance when executed. The options you do define are remain effective)
Click on Options
Check off the box titled No Override then click OK (this prevents your new policy from inheriting access permissions from the default domain policy (the parent policy)

Check off "Block Policy Inheritance" (at the bottom) then click OK

Now, drag the group in the built-in container (looks like a folder) named "Remote Desktop Users" INTO the OU (folder) you created named "TS Access".

What happens now is that when AD replicates, anyone who accesses the server via terminal services does NOT see the Shutdown option anywhere (not even to the "shutdown -f" or the reboot command "shutdown -f -r" command from within DOS-- although I haven't tested that theory) and they ALWAYS see the Loggoff <username> option within the start menu.
Also, when someone logs onto the console, they wil always get the shutdown command.

But then, I use 2003 with Active Directory. Hope that does the trick.

If you don't use Active Directory, just assign a group policy to the Remote Desktop Users group with the start menu/taskbar settings changed accordingly and force no override/inheritance. The concept here is assigning a policy to the group as opposed to assigning a polkicy to everyone (which what you were talking about I believe).

-Adam

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.