windows 7 logoff

In my environment (Windows 7 Pro on Server 2003 ad domain) it is not desirable to display the "Logoff", "Shutdown", "Restart", "hibernate"  or "Sleep" buttons in the start menu.  

If I enable the following GPO, the logoff button disappears like desired:  
 - User Configuration > Administrative Templates > Start Menu and Taskbar -"Remove Logoff on the Start Menu"

This is great, but...

If I also enable the following GPO along with the above policy, the logoff button reappears:
 -User Configuration > Administrative Templates > Start Menu and Taskbar -"Remove and Prevent access to the Shut Down, Restart, Sleep and Hibernate Commands"

No so good!  I have also tried adding the "NoClose" and "StartMenuLogoff" registry entries to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer key and this yields the same results.  

When both are configured together, I have attached a photo of what the start menu looks like.

I will grant max points for whoever can help me successfully remove all of the said entries from the start menu in Windows 7 Pro. - I have been working on this way too long!

Thanks in advance.
Logoff.jpg
cadlkidAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mavalphaCommented:
Mixing REGEDIT and GPEDIT.MSC can be problematic, so I use registry changes wherever possible.  Consider reverting all of your relevant GPO settings back to default before trying these, to prevent unintended interactions:

To remove Logoff:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DWORD: StartMenuLogOff, value=1

To remove Switch user:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DWORD: HideFastUserSwitching, value=1

To remove Lock:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DWORD: DisableLockWorkstation, value=1

To remove Shutdown:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DWORD: NoClose, value=1
0
CrandellCommented:
Use policy to get as far as you can and then use profiles to get the rest of the way. I use this combination successfully all of the time.
0
Mike ThomasConsultantCommented:
Are you trying to remove the logoff button altogether?
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Mike ThomasConsultantCommented:
This is all a bit moot when the users have access to the run line where they could execute cmd and then the shutdown command mind, you might want to consider removing that too.
0
CrandellCommented:
You will not be able to get everything you want removed with policy.  In 2008 the .adm files are now .admx and the client side extensions will not be available.  You can use 2003  and get as far as you have, then you will need to use a profile and registry hacks to ge the rest of the way.  You can set up a workstation in your domain and install the client side extensions there and get access to the new policies available on 2008 server.
0
angel_fire2701Commented:
Officially the correct answer would be update your domain to a 2008 ad domain however it may not be suitible for your situation.
So I've heard of a product from a company I use, I know it's not a free solution but I've heard good things about it....
http://www.faronics.com/en/Products/WINSelect/WINSelectKeyFeatures.aspx 
0
cadlkidAuthor Commented:
Experts - Thanks for all of your help thus far!

1.  I am confused - If I manually configure the the registry values that "mavalpha" mentioned and it does not remove the  "Logoff", "Shutdown", "Restart", "hibernate"  or "Sleep" buttons in the start menu - How would using the .admx templates in server 2008 be any different?  (don't the GPO's just change these same reg keys?)

2.  I am using a Windows 7 computer on my server 2003 domain - Shouldn't I already have these templates because I am using win7 to configure and manage the GPO's?

I will also try today using a customized profile in conjunction with policy and/or registry settings.

Thanks again!
0
CrandellCommented:
Use gpedit.msc and make your changes with local policy on the win 7 box and create the profile locally.
0
cadlkidAuthor Commented:
Crandell - Can you please expand on this explanation?  Not sure what you mean by creating the profile locally with local policy?

Forgive my idiocy.

0
CrandellCommented:
log on with a user with admin privs.  configure your local group policy editor to the desktop you want to see.  Then logoff and logon with another admin account.  Copy the profile you created to the default users profile.  All users that log on now for the first time will see the profile you created.
0
angel_fire2701Commented:
1.  I am confused - If I manually configure the the registry values that "mavalpha" mentioned and it does not remove the  "Logoff", "Shutdown", "Restart", "hibernate"  or "Sleep" buttons in the start menu - How would using the .admx templates in server 2008 be any different?  (don't the GPO's just change these same reg keys?)
Yes/No, Not exactly, new registry information is placed into the computers registry after configuring your GPO, these are more or less an override for the existing registry items. However, some are directly overwritten.

2.  I am using a Windows 7 computer on my server 2003 domain - Shouldn't I already have these templates because I am using win7 to configure and manage the GPO's?
No
A server 2003 domain can only effectively manage policies that have been grandfathered to new OS, so if in Win7 a new policy has been added to the OS then Server 2003 will not be able to configure it because it won't know what the new configurable policies are for that OS, but Server 2008 would be able to manage those new available policies. Which is why it's important to update the functional level of your AD Domain just like you do your computers (if you don't just replace those).
0
cadlkidAuthor Commented:
I figured this out...

If these 7 entries are configured in a GPO, the "lock" button is shown on the start menu, but it is inactive...

1.  User Configuration > Administrative Templates > Start Menu and Taskbar -"Remove and Prevent Access to the Shut Down, Restart, Sleep and Hibernate Commands"

2.  User Configuration > Administrative Templates > Start Menu and Taskbar -"Remove Logoff on the Start Menu"

3.  User Configuration > Administrative Templates > Start Menu and Taskbar -"Change Start Menu power button" - "Lock"

4.  User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options > "Remove Change Password" > "Enabled"

5.  User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options > "Remove Lock Computer" > "Enabled"

6.  User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options > "Remove Logoff" > "Enabled"

7.  User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options > "Remove Task Manager" > "Enabled"


Thanks again for all of your help!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.