Solved

Configuring Terminal Services Shutdown and log off

Posted on 2003-11-20
2
212 Views
Last Modified: 2010-05-18
I want to achieve this:

When someone uses Terminal Services to access a server, I want the Start menu to ALWAYS show the "Log off username..." option and NEVER show "Shut Down..." option.  I need the "Log off username..." option to appear even if the user has not selected the checkbox on the Start Menu Properties.  I know how to do this...

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoClose"=dword:00000001

however....

If a user logins in locally (i.e. at the machine console), I WANT the Shut Down option to be available.  I NEED to be able to Shut Down by CRTL-ALT-DEL at least...

Question 1: If I disable the Shut Down on the Start button as above; is there any other TS Shut Down option that I need to disable?

Question 2: How do I set a policy or Registry hack (or script) to always show the "Log off username..." option on the Start button?


Points go to whomever communicates the process for this setup explicitly and so that it works...it's a couple of questions, but the points bounty is high...


Thanks

Geezer
0
Comment
Question by:mgeiser
2 Comments
 
LVL 1

Accepted Solution

by:
webwackr earned 250 total points
ID: 9791822
Always more than one way to skin a cat, but try this:

Open the Users and Computers MMC within Active Directory
(Start>Settings>Control Panel>Administrative Tools>Active Directory Users and Computers)

Create a new OU (right-click in the left pane of the active window and click New>Organization Unit)
Rename the new OU to something (ie "TS Access")
Right-click "TS Access" and select Properties
Click on the Group Policy tab and click New
Rename the policy to something (ie "TS Restrict Policy")
Highlight "TS Restrict Policy" and click Edit

In the left pane, navigate:
(User Configuration>Administrative Templates>Windows Components>Start Menu and Taskbar)
In the right pane, double-click the key "Add logoff to the start menu"
Select ENABLED then click OK (this FORCES the logoff option to appear in the start menu)
next double-click on the key "Remove and prevent access to the Shutdown command"
Select ENABLED then click OK (this removes the shutdown option from the start menu)

Close the active window (Group Policy Editor)
Highlight your new policy named TS Access" and click on Properties
At the bottom of the dialog box, check off BOTH boxes that say "Disable Computer Configs" AND "Disable User Configs" then click OK. (this disables all NON-defined portions of your new policy and improves the performance when executed. The options you do define are remain effective)
Click on Options
Check off the box titled No Override then click OK (this prevents your new policy from inheriting access permissions from the default domain policy (the parent policy)

Check off "Block Policy Inheritance" (at the bottom) then click OK

Now, drag the group in the built-in container (looks like a folder) named "Remote Desktop Users" INTO the OU (folder) you created named "TS Access".

What happens now is that when AD replicates, anyone who accesses the server via terminal services does NOT see the Shutdown option anywhere (not even to the "shutdown -f" or the reboot command "shutdown -f -r" command from within DOS-- although I haven't tested that theory) and they ALWAYS see the Loggoff <username> option within the start menu.
Also, when someone logs onto the console, they wil always get the shutdown command.

But then, I use 2003 with Active Directory. Hope that does the trick.

If you don't use Active Directory, just assign a group policy to the Remote Desktop Users group with the start menu/taskbar settings changed accordingly and force no override/inheritance. The concept here is assigning a policy to the group as opposed to assigning a polkicy to everyone (which what you were talking about I believe).

-Adam
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In  today’s increasingly digital world, managed service providers (MSPs) fight for their customers’ attention, looking for ways to make them stay and purchase more services. One way to encourage that behavior is to develop a dependable brand of prod…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now