Solved

Disable Shutdown Ability

Posted on 2004-09-29
8
323 Views
Last Modified: 2010-07-27
Hello,
 I'd like to disable the ability for ANY person to shutdown or restart ANY of my servers via Terminal Services.  I want to prevent EVERYONE from accidentally shutting down or restarting a server when exiting their Terminal Services session, EVEN Administrators. All my servers are Win2k or Win2k3 and are DCs or member servers of an AD Forest.

The solution to http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_20890266.html did not do the trick for me.

Thanks in advance...
-Mike-
0
Comment
Question by:ehaley
  • 5
  • 3
8 Comments
 
LVL 9

Accepted Solution

by:
CDCOP earned 250 total points
ID: 12181286
If you use GPO's for your different users, this will be great. If you don't you may not be able to shutdown unless you create a script to shutdown. Here you go:
GPEDIT.MSC -> User Configuration -> Administrative Templates -> Start Menu and Taskbar -> Remove and Prevent access to the shutdown command
0
 
LVL 1

Author Comment

by:ehaley
ID: 12181600
Hello CDCOP,

 I have already configured a Group Policy for my DC's and Member Servers with the "Disable and remove the Shut Down command' Enabled, but at last this does not  seem to apply to Administrators who terminal service into the server(s). This does appear to apply to Domain Users however.

I have applied this GP to my Servers and Domain Controllers OU without any luck. I have also applied it to a Test OU and moved the Domain Admin account into it.
0
 
LVL 9

Expert Comment

by:CDCOP
ID: 12181993
You more than likely have another policy that overrides this one for your admins. Are you sure you are applying this one to your admins, and they are actually in the read and apply security?
0
 
LVL 1

Author Comment

by:ehaley
ID: 12183024
Could you explain this statement":
"Are you sure you are applying this one to your admins, and they are actually in the read and apply security?"

None of my 3 Administrators login to the server under their own user account This would create profiles, we don;t want that..
We each use the Domain Administrator account every time we terminal service to a server..

Our GPs are very minimal. I have a password pol at the root level, and a default Server pol on my Servers and DCs OU. None of which have this "Disable and remove the Shut Down command" configured.

-Mike-
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 9

Expert Comment

by:CDCOP
ID: 12186300
Do your admins need to have the shutdown removed also? If so, change your current GP to enable for that setting, and make sure they are in the security settings (admins) to receive this setting.
0
 
LVL 1

Author Comment

by:ehaley
ID: 12230619
CDCOP,
Sorry for the delay. I got pulled away on other things. My origional question at the top explains exactly what I need.  I tried one of your steps and I ended up not being about to logoff of a terminal service sessions. I had to disconnect and terminate the session via Terminal Services Manager. If you can think of anything else, great, I'd really appreciate it, otherwise thanks for your efforts..
-Mike-
0
 
LVL 1

Author Comment

by:ehaley
ID: 12237343
Thanks CDCOP, You lead me in the right direction. Thanks for your help on this one..

http://expertanswercenter.techtarget.com/eac/knowledgebaseAnswer/0,295199,sid63_gci973162,00.html

There is no per-computer policy to remove this setting, but you can remove the shutdown button for his account by editing the group policy to disable and remove the shutdown button. This won't prevent him from shutting down the server entirely -- "tsshutdn" will still work -- but it will prevent him from accidentally doing so. (You can also control this setting by using configuration tools like triCerat's RegSet or editing the registry directly -- this setting is in HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer. Set NoClose's value to 1.)
0
 
LVL 1

Author Comment

by:ehaley
ID: 12241975
Added these DWORD Reg values into HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer with a value of 1

Policy:Disable and remove the Turn Off Computer button
Description:Removes the "Turn Off Computer" button from the Start Menu and
prevents shutting down Windows using the standard shutdown user interface.
Registry Value:"NoClose"

Policy:Force Logoff to the Start Menu
Description:Forces the Logoff button to the Start menu and prevents users
from removing the Logoff option from the Start menu.
Registry Value:"ForceStartMenuLogoff"

Works like a charm.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Performance in games development is paramount: every microsecond counts to be able to do everything in less than 33ms (aiming at 16ms). C# foreach statement is one of the worst performance killers, and here I explain why.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now