Assigning group policies

I want to prevent most, but not all, users using terminal services from having access to the shutdown command on the start menu.

I can enable this restriction in the group policy editor for everyone, but I want administrator and one other user to have the access.
So far I have tried creating a new container in the active directory, named NoShutdown.  I then moved one user into that container and assigned the container the "Disable access to the shutdown command" enabled.
But that user still has the shutdown command on his start menu.

Can anyone walk me through how to give this restriction to some users but not to others?

Thanks
a1electricAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Darius GhassemConnect With a Mentor Commented:
Another way is you can create create batch files to restart the system

Create batch file call with this content shutdown -f -r

The above command will restart system.
0
 
a1electricAuthor Commented:
The intro states: "apply specific settings to users based not on their user account’s location in Active Directory, but rather on the location of the Terminal Server Computer Object"

There is only one server here.  Should I move the server out of the Domain Controllers OU and put it in a new one called Terminal Services?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
a1electricAuthor Commented:
Before going forward with the loopback idea, I tried what seemed like a more straightforward way after reading this post: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23742159.html
However, the one user I have tested so far still has the shutdown button on his menu.

It makes sense to me, as the link above describes, to make a new OU, put the users in that you want to have the feature, and assign a group policy to that OU.  I have done this, by creating an OU named NoShutdown.  Then I moved in the users to that new OU that I wanted this to apply to.  Then, using the group policy management tool that I downloaded, I created a policy by enabling the "Restric access to shutdown" option.  But then logging in as a user that is in this new OU, the Shutdown button is still there.

At first I at least could apply the restriction to everyone or disable it for everyone when I wanted by using gpedit, but that no longer has any effect either.

I'm afraid I may have messed up the policies somewhere and get get them back to the beginning.
0
 
Darius GhassemCommented:
Is this a Domain Controller that is running Terminal Server?

Tell me exactly where you are going in GPO
0
 
a1electricAuthor Commented:
Yes, this is the only server - we are a very small company - , so it is the Domain Controller and it is running Terminal Server.

I open Group Policy Management, go to Group Policy Objects, right click the policy named NoShutdownOption and edit.

Then I click the plus sign next to Administrative Templates under User Configuration.
Next, I click Start Menu and Taskbar
Then I doubleclick Remove and Prevent Access to the Shutdown Commnad and disable it.

Then I sign in as a user that is in the NoShutdown OU where this policy is assigned, click the start button and find that the Shutdown command is still there - I want it to be gone for this and the other users in the NoShutdown OU.

0
 
a1electricAuthor Commented:
I meant to say that I ENable the Remove and Prevent Access to the Shutdown Command option
0
 
Darius GhassemCommented:
Wow then this can be a little issue. Terminal Servers really shouldn't be running on a Domain Controller.

You need to enable remove shutdown button not disable
0
 
a1electricAuthor Commented:
Hmm, well, I've been running terminal services on this server for a couple of years now with no problem...the only difference now is that I wiped out the C drive and reinstalled the operating system.

Please see the attached screenshot that shows the options I have available for removing the Shutdown command (not configured, enable, and disable)
RemoveShutdown.png
0
 
Darius GhassemCommented:
Apply at Domain Controller GPO level as well.
0
 
a1electricAuthor Commented:
Although I know applying at the Domain Controller level worked previously, it does not now.  I must have set something somewhere that messed things up.
I applied the policy to the Domain Controller GPO and logged in as a couple of different users, but the shutdown command is still there.
0
 
Darius GhassemCommented:
That should work if you have a gpo applying to users as well.

Try going to User Right Assignment in the GPO remove the users or Remote Desktop Group from Shutdown the system option
0
 
a1electricAuthor Commented:
Okay, I found out a clue - when I edit the Console1.msc default domain policy, the shutdown command is now gone.  All I need  now is to allow administrator and one other user to see the shutdown command.  How do I exclude these two users from the default domain policy configured in the Console1.msc?
0
 
Darius GhassemCommented:
You need to go to the Permissions tab of the GPO and Deny apply GPO to these users
0
 
a1electricAuthor Commented:
Not working yet, I opened up the Console1.msc, right-clicked on the default domain policy, went to properties, then security.  I added the two users that I want to have the shutdown command (Administrator and Ken), and clicked the box under "Deny" next to "Apply Group Policy".

But both of these users still do not have the shutdown command.
0
 
Darius GhassemCommented:
Did you run gpupdate /f? Or reboot?
0
 
a1electricAuthor Commented:
i did run gpudate /force - but the two users still have a shutdown command
0
 
a1electricAuthor Commented:
I meant do NOT have a shutdown command.
0
 
a1electricAuthor Commented:
Maybe I should start over, now that I've remembered about the Console1.msc.  I don't think I want to deny these two users the group policy, since part of the group policy allows them to use terminal services.
So the big picture is that all users are terminal service users, and all but two have the shutdown command removed.
What I don't get is how to divide these rights up.  If I use OUs, then how do I move all of the users into a "terminal services" group, but then have all but two users in a "no shutdown command" group?
0
 
Darius GhassemCommented:
if you want to distribute a GPO that you want different users to not be affected then you need to create a GPO just for this setting so you can then deny the users this is call Security Filtering
0
 
a1electricAuthor Commented:
Okay, I've gotten to where it finally at least made sense where everyone is denied access to the shutdown command.  Attached is the screenshot with as much info as I could get into one screen.  
What I tried to do was deny the administrators group the policy of being denied access to the shutdown command, so that the two users in the administrators group will have the shutdown command.

So I think the control of the shutdown button now rests only with the NoShutdown GPO, but I just need to exclude the administrators group from that policy.

thanks for the continued help
GPOsettings.png
0
 
Darius GhassemCommented:
Looks like you have permissions right.

Are the Users part of any other Group by chance?
0
 
a1electricAuthor Commented:
They are members of Remote Desktop Users
0
 
Darius GhassemCommented:
Are you applying GPO to this Group?
0
 
a1electricAuthor Commented:
No, there is no GPO applied to that group.  I'm wondering how the hierarchy works with GPOs.  I thought I could tell the Default Domain Policy to remove the shutdown command for all users, then make a separate GPO that allows the shutdown command and only include the administrators group in that GPO.  But that doesn't work.  It appears that the Default Domain Policy overrides any new GPO.  I will try making two separate GPOs, one for everyone to not have the shutdown command, and a second one for the administrators group to have the shutdown command.
Let me know of your thoughts.
0
 
Darius GhassemCommented:
You need to make the other GPO that gives users the shutdown higher in priority. But you shouldn't have to do this you should be able to create GPO DisableShutdown apply to Domain go to Security Deny Apply this group policy this is called gpo security filtering
0
 
a1electricAuthor Commented:
Well, I have now made two organizational units ''ShutdowCommand" and "NoShutdownCommand"  I have put the appropriate users in these containters, created GPOs for both and linked the GPO to the OU.  But it still  makes no difference - the only thing that makes a difference is to change the Default Domain Security policy.
0
 
Darius GhassemCommented:
Crap forgot you are running TS on your Domain Controller
0
 
a1electricAuthor Commented:
True, that is my only option, since this is the company's only server.  The policy regarding who had the shutdown command and who didn't was working fine for a year or so  until I re-installed the operating system.  Terminal services run fine, this goup policy stuff just isn't cooperating this time around.
0
 
Darius GhassemCommented:
So if you have GPO that is applied to the whole domain just for Shutdownremoved you add  the domain users group to this you then go to the security tab and deny those settings on the users this doesn't work?
0
 
a1electricAuthor Commented:
Don't think so - I believe I followed the couple of steps you just mentioned....The user Administrator had the shutdown command showing, then I opened Group Policy Management and edited the Default Domain Policy.  There I went to User Configuration / Administrative Templates / Start Menu and Taskbar and Enabled "Remove and Prevent Access to the Shutdown command".
I then ran gpupdate / force.  As it should, the Administrator's menu now does not show the Shutdown command.
Then in Group Policy Management main screen I highlighted Default Domain Policy on the left and added the group "Domain Users" on the right under Security Filtering.
I then edited the Default Domain Policy again, right-clicked and clicked on "properties".  On that screen I clicked the security tab and added Administrator.  Then I checked the "Deny" box next to Add Group Policy, then rand gpupdate /force again.
But, the shutdown command is still missing from the Administrator user's start menu.
0
 
Darius GhassemCommented:
I really think the issue is because of the Domain Controller.

I'm trying to remember maybe you can't security filter domain policy
0
 
a1electricAuthor Commented:
Don't know if this will help, but here are the latest steps and the outcome:

Since I need the shutdown command to restart the server occasionally, I decided for now to have it available to everyone.  So, I went to group policy management and changed the option to Disable for Remove Access to the Shutdown Command in the Default Domain Policy.
That did not bring back the command for user Administrator, so I went to the security tab in the properties of the Default Domain Policy and removed the user Administrator (which had had the Deny box checked).  
Removing Administrator from the security tab brought the shutdown command back for Administrator.
So it seems the Deny box has an effect if the No Access to Shutdown is disabled, but no effect if the No Access to Shutdown is enabled.
0
 
a1electricAuthor Commented:
Oh, thanks, I think I'll use that :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.