Solved

Disable Shutdown Ability

Posted on 2004-09-29
8
324 Views
Last Modified: 2010-07-27
Hello,
 I'd like to disable the ability for ANY person to shutdown or restart ANY of my servers via Terminal Services.  I want to prevent EVERYONE from accidentally shutting down or restarting a server when exiting their Terminal Services session, EVEN Administrators. All my servers are Win2k or Win2k3 and are DCs or member servers of an AD Forest.

The solution to http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_20890266.html did not do the trick for me.

Thanks in advance...
-Mike-
0
Comment
Question by:ehaley
  • 5
  • 3
8 Comments
 
LVL 9

Accepted Solution

by:
CDCOP earned 250 total points
ID: 12181286
If you use GPO's for your different users, this will be great. If you don't you may not be able to shutdown unless you create a script to shutdown. Here you go:
GPEDIT.MSC -> User Configuration -> Administrative Templates -> Start Menu and Taskbar -> Remove and Prevent access to the shutdown command
0
 
LVL 1

Author Comment

by:ehaley
ID: 12181600
Hello CDCOP,

 I have already configured a Group Policy for my DC's and Member Servers with the "Disable and remove the Shut Down command' Enabled, but at last this does not  seem to apply to Administrators who terminal service into the server(s). This does appear to apply to Domain Users however.

I have applied this GP to my Servers and Domain Controllers OU without any luck. I have also applied it to a Test OU and moved the Domain Admin account into it.
0
 
LVL 9

Expert Comment

by:CDCOP
ID: 12181993
You more than likely have another policy that overrides this one for your admins. Are you sure you are applying this one to your admins, and they are actually in the read and apply security?
0
 
LVL 1

Author Comment

by:ehaley
ID: 12183024
Could you explain this statement":
"Are you sure you are applying this one to your admins, and they are actually in the read and apply security?"

None of my 3 Administrators login to the server under their own user account This would create profiles, we don;t want that..
We each use the Domain Administrator account every time we terminal service to a server..

Our GPs are very minimal. I have a password pol at the root level, and a default Server pol on my Servers and DCs OU. None of which have this "Disable and remove the Shut Down command" configured.

-Mike-
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 9

Expert Comment

by:CDCOP
ID: 12186300
Do your admins need to have the shutdown removed also? If so, change your current GP to enable for that setting, and make sure they are in the security settings (admins) to receive this setting.
0
 
LVL 1

Author Comment

by:ehaley
ID: 12230619
CDCOP,
Sorry for the delay. I got pulled away on other things. My origional question at the top explains exactly what I need.  I tried one of your steps and I ended up not being about to logoff of a terminal service sessions. I had to disconnect and terminate the session via Terminal Services Manager. If you can think of anything else, great, I'd really appreciate it, otherwise thanks for your efforts..
-Mike-
0
 
LVL 1

Author Comment

by:ehaley
ID: 12237343
Thanks CDCOP, You lead me in the right direction. Thanks for your help on this one..

http://expertanswercenter.techtarget.com/eac/knowledgebaseAnswer/0,295199,sid63_gci973162,00.html

There is no per-computer policy to remove this setting, but you can remove the shutdown button for his account by editing the group policy to disable and remove the shutdown button. This won't prevent him from shutting down the server entirely -- "tsshutdn" will still work -- but it will prevent him from accidentally doing so. (You can also control this setting by using configuration tools like triCerat's RegSet or editing the registry directly -- this setting is in HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer. Set NoClose's value to 1.)
0
 
LVL 1

Author Comment

by:ehaley
ID: 12241975
Added these DWORD Reg values into HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer with a value of 1

Policy:Disable and remove the Turn Off Computer button
Description:Removes the "Turn Off Computer" button from the Start Menu and
prevents shutting down Windows using the standard shutdown user interface.
Registry Value:"NoClose"

Policy:Force Logoff to the Start Menu
Description:Forces the Logoff button to the Start menu and prevents users
from removing the Logoff option from the Start menu.
Registry Value:"ForceStartMenuLogoff"

Works like a charm.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

What does UTC stand for?  “Coordinated Universal Time” – Think of this as the true time on Planet Earth that never changes with the exception of minor leap seconds here and there to account for the changes in the planet's rotation.   What does th…
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …
Delivering innovative fully-managed cloud services for mission-critical applications requires expertise in multiple areas plus vision and commitment. Meet a few of the people behind the quality services of Concerto.

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now