?
Solved

Configuring Terminal Services Shutdown and log off

Posted on 2003-11-20
2
Medium Priority
?
221 Views
Last Modified: 2010-05-18
I want to achieve this:

When someone uses Terminal Services to access a server, I want the Start menu to ALWAYS show the "Log off username..." option and NEVER show "Shut Down..." option.  I need the "Log off username..." option to appear even if the user has not selected the checkbox on the Start Menu Properties.  I know how to do this...

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoClose"=dword:00000001

however....

If a user logins in locally (i.e. at the machine console), I WANT the Shut Down option to be available.  I NEED to be able to Shut Down by CRTL-ALT-DEL at least...

Question 1: If I disable the Shut Down on the Start button as above; is there any other TS Shut Down option that I need to disable?

Question 2: How do I set a policy or Registry hack (or script) to always show the "Log off username..." option on the Start button?


Points go to whomever communicates the process for this setup explicitly and so that it works...it's a couple of questions, but the points bounty is high...


Thanks

Geezer
0
Comment
Question by:mgeiser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 1

Accepted Solution

by:
webwackr earned 1000 total points
ID: 9791822
Always more than one way to skin a cat, but try this:

Open the Users and Computers MMC within Active Directory
(Start>Settings>Control Panel>Administrative Tools>Active Directory Users and Computers)

Create a new OU (right-click in the left pane of the active window and click New>Organization Unit)
Rename the new OU to something (ie "TS Access")
Right-click "TS Access" and select Properties
Click on the Group Policy tab and click New
Rename the policy to something (ie "TS Restrict Policy")
Highlight "TS Restrict Policy" and click Edit

In the left pane, navigate:
(User Configuration>Administrative Templates>Windows Components>Start Menu and Taskbar)
In the right pane, double-click the key "Add logoff to the start menu"
Select ENABLED then click OK (this FORCES the logoff option to appear in the start menu)
next double-click on the key "Remove and prevent access to the Shutdown command"
Select ENABLED then click OK (this removes the shutdown option from the start menu)

Close the active window (Group Policy Editor)
Highlight your new policy named TS Access" and click on Properties
At the bottom of the dialog box, check off BOTH boxes that say "Disable Computer Configs" AND "Disable User Configs" then click OK. (this disables all NON-defined portions of your new policy and improves the performance when executed. The options you do define are remain effective)
Click on Options
Check off the box titled No Override then click OK (this prevents your new policy from inheriting access permissions from the default domain policy (the parent policy)

Check off "Block Policy Inheritance" (at the bottom) then click OK

Now, drag the group in the built-in container (looks like a folder) named "Remote Desktop Users" INTO the OU (folder) you created named "TS Access".

What happens now is that when AD replicates, anyone who accesses the server via terminal services does NOT see the Shutdown option anywhere (not even to the "shutdown -f" or the reboot command "shutdown -f -r" command from within DOS-- although I haven't tested that theory) and they ALWAYS see the Loggoff <username> option within the start menu.
Also, when someone logs onto the console, they wil always get the shutdown command.

But then, I use 2003 with Active Directory. Hope that does the trick.

If you don't use Active Directory, just assign a group policy to the Remote Desktop Users group with the start menu/taskbar settings changed accordingly and force no override/inheritance. The concept here is assigning a policy to the group as opposed to assigning a polkicy to everyone (which what you were talking about I believe).

-Adam
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
What we learned in Webroot's webinar on multi-vector protection.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question