windows 7 logoff

In my environment (Windows 7 Pro on Server 2003 ad domain) it is not desirable to display the "Logoff", "Shutdown", "Restart", "hibernate"  or "Sleep" buttons in the start menu.  

If I enable the following GPO, the logoff button disappears like desired:  
 - User Configuration > Administrative Templates > Start Menu and Taskbar -"Remove Logoff on the Start Menu"

This is great, but...

If I also enable the following GPO along with the above policy, the logoff button reappears:
 -User Configuration > Administrative Templates > Start Menu and Taskbar -"Remove and Prevent access to the Shut Down, Restart, Sleep and Hibernate Commands"

No so good!  I have also tried adding the "NoClose" and "StartMenuLogoff" registry entries to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer key and this yields the same results.  

When both are configured together, I have attached a photo of what the start menu looks like.

I will grant max points for whoever can help me successfully remove all of the said entries from the start menu in Windows 7 Pro. - I have been working on this way too long!

Thanks in advance.
Logoff.jpg
cadlkidAsked:
Who is Participating?
 
cadlkidConnect With a Mentor Author Commented:
I figured this out...

If these 7 entries are configured in a GPO, the "lock" button is shown on the start menu, but it is inactive...

1.  User Configuration > Administrative Templates > Start Menu and Taskbar -"Remove and Prevent Access to the Shut Down, Restart, Sleep and Hibernate Commands"

2.  User Configuration > Administrative Templates > Start Menu and Taskbar -"Remove Logoff on the Start Menu"

3.  User Configuration > Administrative Templates > Start Menu and Taskbar -"Change Start Menu power button" - "Lock"

4.  User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options > "Remove Change Password" > "Enabled"

5.  User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options > "Remove Lock Computer" > "Enabled"

6.  User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options > "Remove Logoff" > "Enabled"

7.  User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options > "Remove Task Manager" > "Enabled"


Thanks again for all of your help!
0
 
mavalphaCommented:
Mixing REGEDIT and GPEDIT.MSC can be problematic, so I use registry changes wherever possible.  Consider reverting all of your relevant GPO settings back to default before trying these, to prevent unintended interactions:

To remove Logoff:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DWORD: StartMenuLogOff, value=1

To remove Switch user:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DWORD: HideFastUserSwitching, value=1

To remove Lock:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DWORD: DisableLockWorkstation, value=1

To remove Shutdown:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DWORD: NoClose, value=1
0
 
CrandellCommented:
Use policy to get as far as you can and then use profiles to get the rest of the way. I use this combination successfully all of the time.
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
Mike ThomasConsultantCommented:
Are you trying to remove the logoff button altogether?
0
 
Mike ThomasConsultantCommented:
This is all a bit moot when the users have access to the run line where they could execute cmd and then the shutdown command mind, you might want to consider removing that too.
0
 
CrandellCommented:
You will not be able to get everything you want removed with policy.  In 2008 the .adm files are now .admx and the client side extensions will not be available.  You can use 2003  and get as far as you have, then you will need to use a profile and registry hacks to ge the rest of the way.  You can set up a workstation in your domain and install the client side extensions there and get access to the new policies available on 2008 server.
0
 
angel_fire2701Commented:
Officially the correct answer would be update your domain to a 2008 ad domain however it may not be suitible for your situation.
So I've heard of a product from a company I use, I know it's not a free solution but I've heard good things about it....
http://www.faronics.com/en/Products/WINSelect/WINSelectKeyFeatures.aspx 
0
 
cadlkidAuthor Commented:
Experts - Thanks for all of your help thus far!

1.  I am confused - If I manually configure the the registry values that "mavalpha" mentioned and it does not remove the  "Logoff", "Shutdown", "Restart", "hibernate"  or "Sleep" buttons in the start menu - How would using the .admx templates in server 2008 be any different?  (don't the GPO's just change these same reg keys?)

2.  I am using a Windows 7 computer on my server 2003 domain - Shouldn't I already have these templates because I am using win7 to configure and manage the GPO's?

I will also try today using a customized profile in conjunction with policy and/or registry settings.

Thanks again!
0
 
CrandellCommented:
Use gpedit.msc and make your changes with local policy on the win 7 box and create the profile locally.
0
 
cadlkidAuthor Commented:
Crandell - Can you please expand on this explanation?  Not sure what you mean by creating the profile locally with local policy?

Forgive my idiocy.

0
 
CrandellCommented:
log on with a user with admin privs.  configure your local group policy editor to the desktop you want to see.  Then logoff and logon with another admin account.  Copy the profile you created to the default users profile.  All users that log on now for the first time will see the profile you created.
0
 
angel_fire2701Commented:
1.  I am confused - If I manually configure the the registry values that "mavalpha" mentioned and it does not remove the  "Logoff", "Shutdown", "Restart", "hibernate"  or "Sleep" buttons in the start menu - How would using the .admx templates in server 2008 be any different?  (don't the GPO's just change these same reg keys?)
Yes/No, Not exactly, new registry information is placed into the computers registry after configuring your GPO, these are more or less an override for the existing registry items. However, some are directly overwritten.

2.  I am using a Windows 7 computer on my server 2003 domain - Shouldn't I already have these templates because I am using win7 to configure and manage the GPO's?
No
A server 2003 domain can only effectively manage policies that have been grandfathered to new OS, so if in Win7 a new policy has been added to the OS then Server 2003 will not be able to configure it because it won't know what the new configurable policies are for that OS, but Server 2008 would be able to manage those new available policies. Which is why it's important to update the functional level of your AD Domain just like you do your computers (if you don't just replace those).
0
All Courses

From novice to tech pro — start learning today.