Solved

Configuring Terminal Services Shutdown and log off

Posted on 2003-11-20
2
220 Views
Last Modified: 2010-05-18
I want to achieve this:

When someone uses Terminal Services to access a server, I want the Start menu to ALWAYS show the "Log off username..." option and NEVER show "Shut Down..." option.  I need the "Log off username..." option to appear even if the user has not selected the checkbox on the Start Menu Properties.  I know how to do this...

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoClose"=dword:00000001

however....

If a user logins in locally (i.e. at the machine console), I WANT the Shut Down option to be available.  I NEED to be able to Shut Down by CRTL-ALT-DEL at least...

Question 1: If I disable the Shut Down on the Start button as above; is there any other TS Shut Down option that I need to disable?

Question 2: How do I set a policy or Registry hack (or script) to always show the "Log off username..." option on the Start button?


Points go to whomever communicates the process for this setup explicitly and so that it works...it's a couple of questions, but the points bounty is high...


Thanks

Geezer
0
Comment
Question by:mgeiser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 1

Accepted Solution

by:
webwackr earned 250 total points
ID: 9791822
Always more than one way to skin a cat, but try this:

Open the Users and Computers MMC within Active Directory
(Start>Settings>Control Panel>Administrative Tools>Active Directory Users and Computers)

Create a new OU (right-click in the left pane of the active window and click New>Organization Unit)
Rename the new OU to something (ie "TS Access")
Right-click "TS Access" and select Properties
Click on the Group Policy tab and click New
Rename the policy to something (ie "TS Restrict Policy")
Highlight "TS Restrict Policy" and click Edit

In the left pane, navigate:
(User Configuration>Administrative Templates>Windows Components>Start Menu and Taskbar)
In the right pane, double-click the key "Add logoff to the start menu"
Select ENABLED then click OK (this FORCES the logoff option to appear in the start menu)
next double-click on the key "Remove and prevent access to the Shutdown command"
Select ENABLED then click OK (this removes the shutdown option from the start menu)

Close the active window (Group Policy Editor)
Highlight your new policy named TS Access" and click on Properties
At the bottom of the dialog box, check off BOTH boxes that say "Disable Computer Configs" AND "Disable User Configs" then click OK. (this disables all NON-defined portions of your new policy and improves the performance when executed. The options you do define are remain effective)
Click on Options
Check off the box titled No Override then click OK (this prevents your new policy from inheriting access permissions from the default domain policy (the parent policy)

Check off "Block Policy Inheritance" (at the bottom) then click OK

Now, drag the group in the built-in container (looks like a folder) named "Remote Desktop Users" INTO the OU (folder) you created named "TS Access".

What happens now is that when AD replicates, anyone who accesses the server via terminal services does NOT see the Shutdown option anywhere (not even to the "shutdown -f" or the reboot command "shutdown -f -r" command from within DOS-- although I haven't tested that theory) and they ALWAYS see the Loggoff <username> option within the start menu.
Also, when someone logs onto the console, they wil always get the shutdown command.

But then, I use 2003 with Active Directory. Hope that does the trick.

If you don't use Active Directory, just assign a group policy to the Remote Desktop Users group with the start menu/taskbar settings changed accordingly and force no override/inheritance. The concept here is assigning a policy to the group as opposed to assigning a polkicy to everyone (which what you were talking about I believe).

-Adam
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question