Solved

Disable Shutdown Ability

Posted on 2004-09-29
8
326 Views
Last Modified: 2010-07-27
Hello,
 I'd like to disable the ability for ANY person to shutdown or restart ANY of my servers via Terminal Services.  I want to prevent EVERYONE from accidentally shutting down or restarting a server when exiting their Terminal Services session, EVEN Administrators. All my servers are Win2k or Win2k3 and are DCs or member servers of an AD Forest.

The solution to http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_20890266.html did not do the trick for me.

Thanks in advance...
-Mike-
0
Comment
Question by:ehaley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 9

Accepted Solution

by:
CDCOP earned 250 total points
ID: 12181286
If you use GPO's for your different users, this will be great. If you don't you may not be able to shutdown unless you create a script to shutdown. Here you go:
GPEDIT.MSC -> User Configuration -> Administrative Templates -> Start Menu and Taskbar -> Remove and Prevent access to the shutdown command
0
 
LVL 1

Author Comment

by:ehaley
ID: 12181600
Hello CDCOP,

 I have already configured a Group Policy for my DC's and Member Servers with the "Disable and remove the Shut Down command' Enabled, but at last this does not  seem to apply to Administrators who terminal service into the server(s). This does appear to apply to Domain Users however.

I have applied this GP to my Servers and Domain Controllers OU without any luck. I have also applied it to a Test OU and moved the Domain Admin account into it.
0
 
LVL 9

Expert Comment

by:CDCOP
ID: 12181993
You more than likely have another policy that overrides this one for your admins. Are you sure you are applying this one to your admins, and they are actually in the read and apply security?
0
Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

 
LVL 1

Author Comment

by:ehaley
ID: 12183024
Could you explain this statement":
"Are you sure you are applying this one to your admins, and they are actually in the read and apply security?"

None of my 3 Administrators login to the server under their own user account This would create profiles, we don;t want that..
We each use the Domain Administrator account every time we terminal service to a server..

Our GPs are very minimal. I have a password pol at the root level, and a default Server pol on my Servers and DCs OU. None of which have this "Disable and remove the Shut Down command" configured.

-Mike-
0
 
LVL 9

Expert Comment

by:CDCOP
ID: 12186300
Do your admins need to have the shutdown removed also? If so, change your current GP to enable for that setting, and make sure they are in the security settings (admins) to receive this setting.
0
 
LVL 1

Author Comment

by:ehaley
ID: 12230619
CDCOP,
Sorry for the delay. I got pulled away on other things. My origional question at the top explains exactly what I need.  I tried one of your steps and I ended up not being about to logoff of a terminal service sessions. I had to disconnect and terminate the session via Terminal Services Manager. If you can think of anything else, great, I'd really appreciate it, otherwise thanks for your efforts..
-Mike-
0
 
LVL 1

Author Comment

by:ehaley
ID: 12237343
Thanks CDCOP, You lead me in the right direction. Thanks for your help on this one..

http://expertanswercenter.techtarget.com/eac/knowledgebaseAnswer/0,295199,sid63_gci973162,00.html

There is no per-computer policy to remove this setting, but you can remove the shutdown button for his account by editing the group policy to disable and remove the shutdown button. This won't prevent him from shutting down the server entirely -- "tsshutdn" will still work -- but it will prevent him from accidentally doing so. (You can also control this setting by using configuration tools like triCerat's RegSet or editing the registry directly -- this setting is in HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer. Set NoClose's value to 1.)
0
 
LVL 1

Author Comment

by:ehaley
ID: 12241975
Added these DWORD Reg values into HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer with a value of 1

Policy:Disable and remove the Turn Off Computer button
Description:Removes the "Turn Off Computer" button from the Start Menu and
prevents shutting down Windows using the standard shutdown user interface.
Registry Value:"NoClose"

Policy:Force Logoff to the Start Menu
Description:Forces the Logoff button to the Start menu and prevents users
from removing the Logoff option from the Start menu.
Registry Value:"ForceStartMenuLogoff"

Works like a charm.
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article was initially published on Monitis Blog, you can read it here . When it comes to deciding which approach to website performance monitoring is best for your business, unfortunately, like so many options in life . . . it depends. In t…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question