Disable Shutdown Ability

 I'd like to disable the ability for ANY person to shutdown or restart ANY of my servers via Terminal Services.  I want to prevent EVERYONE from accidentally shutting down or restarting a server when exiting their Terminal Services session, EVEN Administrators. All my servers are Win2k or Win2k3 and are DCs or member servers of an AD Forest.

The solution to http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_20890266.html did not do the trick for me.

Thanks in advance...
Who is Participating?

Improve company productivity with a Business Account.Sign Up

CDCOPConnect With a Mentor Commented:
If you use GPO's for your different users, this will be great. If you don't you may not be able to shutdown unless you create a script to shutdown. Here you go:
GPEDIT.MSC -> User Configuration -> Administrative Templates -> Start Menu and Taskbar -> Remove and Prevent access to the shutdown command
ehaleyAuthor Commented:
Hello CDCOP,

 I have already configured a Group Policy for my DC's and Member Servers with the "Disable and remove the Shut Down command' Enabled, but at last this does not  seem to apply to Administrators who terminal service into the server(s). This does appear to apply to Domain Users however.

I have applied this GP to my Servers and Domain Controllers OU without any luck. I have also applied it to a Test OU and moved the Domain Admin account into it.
You more than likely have another policy that overrides this one for your admins. Are you sure you are applying this one to your admins, and they are actually in the read and apply security?
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

ehaleyAuthor Commented:
Could you explain this statement":
"Are you sure you are applying this one to your admins, and they are actually in the read and apply security?"

None of my 3 Administrators login to the server under their own user account This would create profiles, we don;t want that..
We each use the Domain Administrator account every time we terminal service to a server..

Our GPs are very minimal. I have a password pol at the root level, and a default Server pol on my Servers and DCs OU. None of which have this "Disable and remove the Shut Down command" configured.

Do your admins need to have the shutdown removed also? If so, change your current GP to enable for that setting, and make sure they are in the security settings (admins) to receive this setting.
ehaleyAuthor Commented:
Sorry for the delay. I got pulled away on other things. My origional question at the top explains exactly what I need.  I tried one of your steps and I ended up not being about to logoff of a terminal service sessions. I had to disconnect and terminate the session via Terminal Services Manager. If you can think of anything else, great, I'd really appreciate it, otherwise thanks for your efforts..
ehaleyAuthor Commented:
Thanks CDCOP, You lead me in the right direction. Thanks for your help on this one..


There is no per-computer policy to remove this setting, but you can remove the shutdown button for his account by editing the group policy to disable and remove the shutdown button. This won't prevent him from shutting down the server entirely -- "tsshutdn" will still work -- but it will prevent him from accidentally doing so. (You can also control this setting by using configuration tools like triCerat's RegSet or editing the registry directly -- this setting is in HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer. Set NoClose's value to 1.)
ehaleyAuthor Commented:
Added these DWORD Reg values into HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer with a value of 1

Policy:Disable and remove the Turn Off Computer button
Description:Removes the "Turn Off Computer" button from the Start Menu and
prevents shutting down Windows using the standard shutdown user interface.
Registry Value:"NoClose"

Policy:Force Logoff to the Start Menu
Description:Forces the Logoff button to the Start menu and prevents users
from removing the Logoff option from the Start menu.
Registry Value:"ForceStartMenuLogoff"

Works like a charm.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.