Solved

Assigning group policies

Posted on 2011-03-04
34
689 Views
Last Modified: 2012-05-11
I want to prevent most, but not all, users using terminal services from having access to the shutdown command on the start menu.

I can enable this restriction in the group policy editor for everyone, but I want administrator and one other user to have the access.
So far I have tried creating a new container in the active directory, named NoShutdown.  I then moved one user into that container and assigned the container the "Disable access to the shutdown command" enabled.
But that user still has the shutdown command on his start menu.

Can anyone walk me through how to give this restriction to some users but not to others?

Thanks
0
Comment
Question by:a1electric
  • 19
  • 15
34 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35038058
0
 

Author Comment

by:a1electric
ID: 35038784
The intro states: "apply specific settings to users based not on their user account’s location in Active Directory, but rather on the location of the Terminal Server Computer Object"

There is only one server here.  Should I move the server out of the Domain Controllers OU and put it in a new one called Terminal Services?
0
 

Author Comment

by:a1electric
ID: 35039058
Before going forward with the loopback idea, I tried what seemed like a more straightforward way after reading this post: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23742159.html
However, the one user I have tested so far still has the shutdown button on his menu.

It makes sense to me, as the link above describes, to make a new OU, put the users in that you want to have the feature, and assign a group policy to that OU.  I have done this, by creating an OU named NoShutdown.  Then I moved in the users to that new OU that I wanted this to apply to.  Then, using the group policy management tool that I downloaded, I created a policy by enabling the "Restric access to shutdown" option.  But then logging in as a user that is in this new OU, the Shutdown button is still there.

At first I at least could apply the restriction to everyone or disable it for everyone when I wanted by using gpedit, but that no longer has any effect either.

I'm afraid I may have messed up the policies somewhere and get get them back to the beginning.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35039206
Is this a Domain Controller that is running Terminal Server?

Tell me exactly where you are going in GPO
0
 

Author Comment

by:a1electric
ID: 35039336
Yes, this is the only server - we are a very small company - , so it is the Domain Controller and it is running Terminal Server.

I open Group Policy Management, go to Group Policy Objects, right click the policy named NoShutdownOption and edit.

Then I click the plus sign next to Administrative Templates under User Configuration.
Next, I click Start Menu and Taskbar
Then I doubleclick Remove and Prevent Access to the Shutdown Commnad and disable it.

Then I sign in as a user that is in the NoShutdown OU where this policy is assigned, click the start button and find that the Shutdown command is still there - I want it to be gone for this and the other users in the NoShutdown OU.

0
 

Author Comment

by:a1electric
ID: 35039364
I meant to say that I ENable the Remove and Prevent Access to the Shutdown Command option
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35040106
Wow then this can be a little issue. Terminal Servers really shouldn't be running on a Domain Controller.

You need to enable remove shutdown button not disable
0
 

Author Comment

by:a1electric
ID: 35040249
Hmm, well, I've been running terminal services on this server for a couple of years now with no problem...the only difference now is that I wiped out the C drive and reinstalled the operating system.

Please see the attached screenshot that shows the options I have available for removing the Shutdown command (not configured, enable, and disable)
RemoveShutdown.png
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35040858
Apply at Domain Controller GPO level as well.
0
 

Author Comment

by:a1electric
ID: 35056335
Although I know applying at the Domain Controller level worked previously, it does not now.  I must have set something somewhere that messed things up.
I applied the policy to the Domain Controller GPO and logged in as a couple of different users, but the shutdown command is still there.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35057832
That should work if you have a gpo applying to users as well.

Try going to User Right Assignment in the GPO remove the users or Remote Desktop Group from Shutdown the system option
0
 

Author Comment

by:a1electric
ID: 35058856
Okay, I found out a clue - when I edit the Console1.msc default domain policy, the shutdown command is now gone.  All I need  now is to allow administrator and one other user to see the shutdown command.  How do I exclude these two users from the default domain policy configured in the Console1.msc?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35058876
You need to go to the Permissions tab of the GPO and Deny apply GPO to these users
0
 

Author Comment

by:a1electric
ID: 35059144
Not working yet, I opened up the Console1.msc, right-clicked on the default domain policy, went to properties, then security.  I added the two users that I want to have the shutdown command (Administrator and Ken), and clicked the box under "Deny" next to "Apply Group Policy".

But both of these users still do not have the shutdown command.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35059402
Did you run gpupdate /f? Or reboot?
0
 

Author Comment

by:a1electric
ID: 35059732
i did run gpudate /force - but the two users still have a shutdown command
0
 

Author Comment

by:a1electric
ID: 35059824
I meant do NOT have a shutdown command.
0
 

Author Comment

by:a1electric
ID: 35060326
Maybe I should start over, now that I've remembered about the Console1.msc.  I don't think I want to deny these two users the group policy, since part of the group policy allows them to use terminal services.
So the big picture is that all users are terminal service users, and all but two have the shutdown command removed.
What I don't get is how to divide these rights up.  If I use OUs, then how do I move all of the users into a "terminal services" group, but then have all but two users in a "no shutdown command" group?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35060865
if you want to distribute a GPO that you want different users to not be affected then you need to create a GPO just for this setting so you can then deny the users this is call Security Filtering
0
 

Author Comment

by:a1electric
ID: 35061942
Okay, I've gotten to where it finally at least made sense where everyone is denied access to the shutdown command.  Attached is the screenshot with as much info as I could get into one screen.  
What I tried to do was deny the administrators group the policy of being denied access to the shutdown command, so that the two users in the administrators group will have the shutdown command.

So I think the control of the shutdown button now rests only with the NoShutdown GPO, but I just need to exclude the administrators group from that policy.

thanks for the continued help
GPOsettings.png
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35061979
Looks like you have permissions right.

Are the Users part of any other Group by chance?
0
 

Author Comment

by:a1electric
ID: 35068857
They are members of Remote Desktop Users
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35069510
Are you applying GPO to this Group?
0
 

Author Comment

by:a1electric
ID: 35070773
No, there is no GPO applied to that group.  I'm wondering how the hierarchy works with GPOs.  I thought I could tell the Default Domain Policy to remove the shutdown command for all users, then make a separate GPO that allows the shutdown command and only include the administrators group in that GPO.  But that doesn't work.  It appears that the Default Domain Policy overrides any new GPO.  I will try making two separate GPOs, one for everyone to not have the shutdown command, and a second one for the administrators group to have the shutdown command.
Let me know of your thoughts.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35071027
You need to make the other GPO that gives users the shutdown higher in priority. But you shouldn't have to do this you should be able to create GPO DisableShutdown apply to Domain go to Security Deny Apply this group policy this is called gpo security filtering
0
 

Author Comment

by:a1electric
ID: 35071471
Well, I have now made two organizational units ''ShutdowCommand" and "NoShutdownCommand"  I have put the appropriate users in these containters, created GPOs for both and linked the GPO to the OU.  But it still  makes no difference - the only thing that makes a difference is to change the Default Domain Security policy.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35073290
Crap forgot you are running TS on your Domain Controller
0
 

Author Comment

by:a1electric
ID: 35073740
True, that is my only option, since this is the company's only server.  The policy regarding who had the shutdown command and who didn't was working fine for a year or so  until I re-installed the operating system.  Terminal services run fine, this goup policy stuff just isn't cooperating this time around.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35073781
So if you have GPO that is applied to the whole domain just for Shutdownremoved you add  the domain users group to this you then go to the security tab and deny those settings on the users this doesn't work?
0
 

Author Comment

by:a1electric
ID: 35074104
Don't think so - I believe I followed the couple of steps you just mentioned....The user Administrator had the shutdown command showing, then I opened Group Policy Management and edited the Default Domain Policy.  There I went to User Configuration / Administrative Templates / Start Menu and Taskbar and Enabled "Remove and Prevent Access to the Shutdown command".
I then ran gpupdate / force.  As it should, the Administrator's menu now does not show the Shutdown command.
Then in Group Policy Management main screen I highlighted Default Domain Policy on the left and added the group "Domain Users" on the right under Security Filtering.
I then edited the Default Domain Policy again, right-clicked and clicked on "properties".  On that screen I clicked the security tab and added Administrator.  Then I checked the "Deny" box next to Add Group Policy, then rand gpupdate /force again.
But, the shutdown command is still missing from the Administrator user's start menu.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35083435
I really think the issue is because of the Domain Controller.

I'm trying to remember maybe you can't security filter domain policy
0
 

Author Comment

by:a1electric
ID: 35095040
Don't know if this will help, but here are the latest steps and the outcome:

Since I need the shutdown command to restart the server occasionally, I decided for now to have it available to everyone.  So, I went to group policy management and changed the option to Disable for Remove Access to the Shutdown Command in the Default Domain Policy.
That did not bring back the command for user Administrator, so I went to the security tab in the properties of the Default Domain Policy and removed the user Administrator (which had had the Deny box checked).  
Removing Administrator from the security tab brought the shutdown command back for Administrator.
So it seems the Deny box has an effect if the No Access to Shutdown is disabled, but no effect if the No Access to Shutdown is enabled.
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 250 total points
ID: 35097364
Another way is you can create create batch files to restart the system

Create batch file call with this content shutdown -f -r

The above command will restart system.
0
 

Author Comment

by:a1electric
ID: 35097626
Oh, thanks, I think I'll use that :)
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question