Assigning group policies

Well what you need to do is to assign the loopback policy to apply to the users when they logon to this computer

http://www.virtualizationadmin.com/articles-tutorials/terminal-services/general/managing-terminal-services-group-policy.html

https://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_1876-Understanding-Group-Policy-Loopback-Processing.html

The intro states: "apply specific settings to users based not on their user account’s location in Active Directory, but rather on the location of the Terminal Server Computer Object"

There is only one server here.  Should I move the server out of the Domain Controllers OU and put it in a new one called Terminal Services?

Before going forward with the loopback idea, I tried what seemed like a more straightforward way after reading this post: https://www.experts-exchange.com/questions/23742159/Group-Policies-for-Dummies-Lock-down-2-machines-within-20-PC-domain.html
However, the one user I have tested so far still has the shutdown button on his menu.

It makes sense to me, as the link above describes, to make a new OU, put the users in that you want to have the feature, and assign a group policy to that OU.  I have done this, by creating an OU named NoShutdown.  Then I moved in the users to that new OU that I wanted this to apply to.  Then, using the group policy management tool that I downloaded, I created a policy by enabling the "Restric access to shutdown" option.  But then logging in as a user that is in this new OU, the Shutdown button is still there.

At first I at least could apply the restriction to everyone or disable it for everyone when I wanted by using gpedit, but that no longer has any effect either.

I'm afraid I may have messed up the policies somewhere and get get them back to the beginning.

Is this a Domain Controller that is running Terminal Server?

Tell me exactly where you are going in GPO

Yes, this is the only server - we are a very small company - , so it is the Domain Controller and it is running Terminal Server.

I open Group Policy Management, go to Group Policy Objects, right click the policy named NoShutdownOption and edit.

Then I click the plus sign next to Administrative Templates under User Configuration.
Next, I click Start Menu and Taskbar
Then I doubleclick Remove and Prevent Access to the Shutdown Commnad and disable it.

Then I sign in as a user that is in the NoShutdown OU where this policy is assigned, click the start button and find that the Shutdown command is still there - I want it to be gone for this and the other users in the NoShutdown OU.

I meant to say that I ENable the Remove and Prevent Access to the Shutdown Command option

Wow then this can be a little issue. Terminal Servers really shouldn't be running on a Domain Controller.

You need to enable remove shutdown button not disable

Hmm, well, I've been running terminal services on this server for a couple of years now with no problem...the only difference now is that I wiped out the C drive and reinstalled the operating system.

Please see the attached screenshot that shows the options I have available for removing the Shutdown command (not configured, enable, and disable)
RemoveShutdown.png

Apply at Domain Controller GPO level as well.

Although I know applying at the Domain Controller level worked previously, it does not now.  I must have set something somewhere that messed things up.
I applied the policy to the Domain Controller GPO and logged in as a couple of different users, but the shutdown command is still there.

That should work if you have a gpo applying to users as well.

Try going to User Right Assignment in the GPO remove the users or Remote Desktop Group from Shutdown the system option

Okay, I found out a clue - when I edit the Console1.msc default domain policy, the shutdown command is now gone.  All I need  now is to allow administrator and one other user to see the shutdown command.  How do I exclude these two users from the default domain policy configured in the Console1.msc?

You need to go to the Permissions tab of the GPO and Deny apply GPO to these users

Not working yet, I opened up the Console1.msc, right-clicked on the default domain policy, went to properties, then security.  I added the two users that I want to have the shutdown command (Administrator and Ken), and clicked the box under "Deny" next to "Apply Group Policy".

But both of these users still do not have the shutdown command.

Did you run gpupdate /f? Or reboot?

i did run gpudate /force - but the two users still have a shutdown command

I meant do NOT have a shutdown command.

Maybe I should start over, now that I've remembered about the Console1.msc.  I don't think I want to deny these two users the group policy, since part of the group policy allows them to use terminal services.
So the big picture is that all users are terminal service users, and all but two have the shutdown command removed.
What I don't get is how to divide these rights up.  If I use OUs, then how do I move all of the users into a "terminal services" group, but then have all but two users in a "no shutdown command" group?

if you want to distribute a GPO that you want different users to not be affected then you need to create a GPO just for this setting so you can then deny the users this is call Security Filtering

Okay, I've gotten to where it finally at least made sense where everyone is denied access to the shutdown command.  Attached is the screenshot with as much info as I could get into one screen.  
What I tried to do was deny the administrators group the policy of being denied access to the shutdown command, so that the two users in the administrators group will have the shutdown command.

So I think the control of the shutdown button now rests only with the NoShutdown GPO, but I just need to exclude the administrators group from that policy.

thanks for the continued help
GPOsettings.png

Looks like you have permissions right.

Are the Users part of any other Group by chance?

They are members of Remote Desktop Users

Are you applying GPO to this Group?

No, there is no GPO applied to that group.  I'm wondering how the hierarchy works with GPOs.  I thought I could tell the Default Domain Policy to remove the shutdown command for all users, then make a separate GPO that allows the shutdown command and only include the administrators group in that GPO.  But that doesn't work.  It appears that the Default Domain Policy overrides any new GPO.  I will try making two separate GPOs, one for everyone to not have the shutdown command, and a second one for the administrators group to have the shutdown command.
Let me know of your thoughts.

You need to make the other GPO that gives users the shutdown higher in priority. But you shouldn't have to do this you should be able to create GPO DisableShutdown apply to Domain go to Security Deny Apply this group policy this is called gpo security filtering

Well, I have now made two organizational units ''ShutdowCommand" and "NoShutdownCommand"  I have put the appropriate users in these containters, created GPOs for both and linked the GPO to the OU.  But it still  makes no difference - the only thing that makes a difference is to change the Default Domain Security policy.

Crap forgot you are running TS on your Domain Controller

True, that is my only option, since this is the company's only server.  The policy regarding who had the shutdown command and who didn't was working fine for a year or so  until I re-installed the operating system.  Terminal services run fine, this goup policy stuff just isn't cooperating this time around.

So if you have GPO that is applied to the whole domain just for Shutdownremoved you add  the domain users group to this you then go to the security tab and deny those settings on the users this doesn't work?

Don't think so - I believe I followed the couple of steps you just mentioned....The user Administrator had the shutdown command showing, then I opened Group Policy Management and edited the Default Domain Policy.  There I went to User Configuration / Administrative Templates / Start Menu and Taskbar and Enabled "Remove and Prevent Access to the Shutdown command".
I then ran gpupdate / force.  As it should, the Administrator's menu now does not show the Shutdown command.
Then in Group Policy Management main screen I highlighted Default Domain Policy on the left and added the group "Domain Users" on the right under Security Filtering.
I then edited the Default Domain Policy again, right-clicked and clicked on "properties".  On that screen I clicked the security tab and added Administrator.  Then I checked the "Deny" box next to Add Group Policy, then rand gpupdate /force again.
But, the shutdown command is still missing from the Administrator user's start menu.

I really think the issue is because of the Domain Controller.

I'm trying to remember maybe you can't security filter domain policy

Don't know if this will help, but here are the latest steps and the outcome:

Since I need the shutdown command to restart the server occasionally, I decided for now to have it available to everyone.  So, I went to group policy management and changed the option to Disable for Remove Access to the Shutdown Command in the Default Domain Policy.
That did not bring back the command for user Administrator, so I went to the security tab in the properties of the Default Domain Policy and removed the user Administrator (which had had the Deny box checked).  
Removing Administrator from the security tab brought the shutdown command back for Administrator.
So it seems the Deny box has an effect if the No Access to Shutdown is disabled, but no effect if the No Access to Shutdown is enabled.

Oh, thanks, I think I'll use that :)