Solved

Assigning group policies

Posted on 2011-03-04
34
686 Views
Last Modified: 2012-05-11
I want to prevent most, but not all, users using terminal services from having access to the shutdown command on the start menu.

I can enable this restriction in the group policy editor for everyone, but I want administrator and one other user to have the access.
So far I have tried creating a new container in the active directory, named NoShutdown.  I then moved one user into that container and assigned the container the "Disable access to the shutdown command" enabled.
But that user still has the shutdown command on his start menu.

Can anyone walk me through how to give this restriction to some users but not to others?

Thanks
0
Comment
Question by:a1electric
  • 19
  • 15
34 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
0
 

Author Comment

by:a1electric
Comment Utility
The intro states: "apply specific settings to users based not on their user account’s location in Active Directory, but rather on the location of the Terminal Server Computer Object"

There is only one server here.  Should I move the server out of the Domain Controllers OU and put it in a new one called Terminal Services?
0
 

Author Comment

by:a1electric
Comment Utility
Before going forward with the loopback idea, I tried what seemed like a more straightforward way after reading this post: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23742159.html
However, the one user I have tested so far still has the shutdown button on his menu.

It makes sense to me, as the link above describes, to make a new OU, put the users in that you want to have the feature, and assign a group policy to that OU.  I have done this, by creating an OU named NoShutdown.  Then I moved in the users to that new OU that I wanted this to apply to.  Then, using the group policy management tool that I downloaded, I created a policy by enabling the "Restric access to shutdown" option.  But then logging in as a user that is in this new OU, the Shutdown button is still there.

At first I at least could apply the restriction to everyone or disable it for everyone when I wanted by using gpedit, but that no longer has any effect either.

I'm afraid I may have messed up the policies somewhere and get get them back to the beginning.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Is this a Domain Controller that is running Terminal Server?

Tell me exactly where you are going in GPO
0
 

Author Comment

by:a1electric
Comment Utility
Yes, this is the only server - we are a very small company - , so it is the Domain Controller and it is running Terminal Server.

I open Group Policy Management, go to Group Policy Objects, right click the policy named NoShutdownOption and edit.

Then I click the plus sign next to Administrative Templates under User Configuration.
Next, I click Start Menu and Taskbar
Then I doubleclick Remove and Prevent Access to the Shutdown Commnad and disable it.

Then I sign in as a user that is in the NoShutdown OU where this policy is assigned, click the start button and find that the Shutdown command is still there - I want it to be gone for this and the other users in the NoShutdown OU.

0
 

Author Comment

by:a1electric
Comment Utility
I meant to say that I ENable the Remove and Prevent Access to the Shutdown Command option
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Wow then this can be a little issue. Terminal Servers really shouldn't be running on a Domain Controller.

You need to enable remove shutdown button not disable
0
 

Author Comment

by:a1electric
Comment Utility
Hmm, well, I've been running terminal services on this server for a couple of years now with no problem...the only difference now is that I wiped out the C drive and reinstalled the operating system.

Please see the attached screenshot that shows the options I have available for removing the Shutdown command (not configured, enable, and disable)
RemoveShutdown.png
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Apply at Domain Controller GPO level as well.
0
 

Author Comment

by:a1electric
Comment Utility
Although I know applying at the Domain Controller level worked previously, it does not now.  I must have set something somewhere that messed things up.
I applied the policy to the Domain Controller GPO and logged in as a couple of different users, but the shutdown command is still there.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
That should work if you have a gpo applying to users as well.

Try going to User Right Assignment in the GPO remove the users or Remote Desktop Group from Shutdown the system option
0
 

Author Comment

by:a1electric
Comment Utility
Okay, I found out a clue - when I edit the Console1.msc default domain policy, the shutdown command is now gone.  All I need  now is to allow administrator and one other user to see the shutdown command.  How do I exclude these two users from the default domain policy configured in the Console1.msc?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
You need to go to the Permissions tab of the GPO and Deny apply GPO to these users
0
 

Author Comment

by:a1electric
Comment Utility
Not working yet, I opened up the Console1.msc, right-clicked on the default domain policy, went to properties, then security.  I added the two users that I want to have the shutdown command (Administrator and Ken), and clicked the box under "Deny" next to "Apply Group Policy".

But both of these users still do not have the shutdown command.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Did you run gpupdate /f? Or reboot?
0
 

Author Comment

by:a1electric
Comment Utility
i did run gpudate /force - but the two users still have a shutdown command
0
 

Author Comment

by:a1electric
Comment Utility
I meant do NOT have a shutdown command.
0
Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 

Author Comment

by:a1electric
Comment Utility
Maybe I should start over, now that I've remembered about the Console1.msc.  I don't think I want to deny these two users the group policy, since part of the group policy allows them to use terminal services.
So the big picture is that all users are terminal service users, and all but two have the shutdown command removed.
What I don't get is how to divide these rights up.  If I use OUs, then how do I move all of the users into a "terminal services" group, but then have all but two users in a "no shutdown command" group?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
if you want to distribute a GPO that you want different users to not be affected then you need to create a GPO just for this setting so you can then deny the users this is call Security Filtering
0
 

Author Comment

by:a1electric
Comment Utility
Okay, I've gotten to where it finally at least made sense where everyone is denied access to the shutdown command.  Attached is the screenshot with as much info as I could get into one screen.  
What I tried to do was deny the administrators group the policy of being denied access to the shutdown command, so that the two users in the administrators group will have the shutdown command.

So I think the control of the shutdown button now rests only with the NoShutdown GPO, but I just need to exclude the administrators group from that policy.

thanks for the continued help
GPOsettings.png
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Looks like you have permissions right.

Are the Users part of any other Group by chance?
0
 

Author Comment

by:a1electric
Comment Utility
They are members of Remote Desktop Users
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Are you applying GPO to this Group?
0
 

Author Comment

by:a1electric
Comment Utility
No, there is no GPO applied to that group.  I'm wondering how the hierarchy works with GPOs.  I thought I could tell the Default Domain Policy to remove the shutdown command for all users, then make a separate GPO that allows the shutdown command and only include the administrators group in that GPO.  But that doesn't work.  It appears that the Default Domain Policy overrides any new GPO.  I will try making two separate GPOs, one for everyone to not have the shutdown command, and a second one for the administrators group to have the shutdown command.
Let me know of your thoughts.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
You need to make the other GPO that gives users the shutdown higher in priority. But you shouldn't have to do this you should be able to create GPO DisableShutdown apply to Domain go to Security Deny Apply this group policy this is called gpo security filtering
0
 

Author Comment

by:a1electric
Comment Utility
Well, I have now made two organizational units ''ShutdowCommand" and "NoShutdownCommand"  I have put the appropriate users in these containters, created GPOs for both and linked the GPO to the OU.  But it still  makes no difference - the only thing that makes a difference is to change the Default Domain Security policy.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Crap forgot you are running TS on your Domain Controller
0
 

Author Comment

by:a1electric
Comment Utility
True, that is my only option, since this is the company's only server.  The policy regarding who had the shutdown command and who didn't was working fine for a year or so  until I re-installed the operating system.  Terminal services run fine, this goup policy stuff just isn't cooperating this time around.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
So if you have GPO that is applied to the whole domain just for Shutdownremoved you add  the domain users group to this you then go to the security tab and deny those settings on the users this doesn't work?
0
 

Author Comment

by:a1electric
Comment Utility
Don't think so - I believe I followed the couple of steps you just mentioned....The user Administrator had the shutdown command showing, then I opened Group Policy Management and edited the Default Domain Policy.  There I went to User Configuration / Administrative Templates / Start Menu and Taskbar and Enabled "Remove and Prevent Access to the Shutdown command".
I then ran gpupdate / force.  As it should, the Administrator's menu now does not show the Shutdown command.
Then in Group Policy Management main screen I highlighted Default Domain Policy on the left and added the group "Domain Users" on the right under Security Filtering.
I then edited the Default Domain Policy again, right-clicked and clicked on "properties".  On that screen I clicked the security tab and added Administrator.  Then I checked the "Deny" box next to Add Group Policy, then rand gpupdate /force again.
But, the shutdown command is still missing from the Administrator user's start menu.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
I really think the issue is because of the Domain Controller.

I'm trying to remember maybe you can't security filter domain policy
0
 

Author Comment

by:a1electric
Comment Utility
Don't know if this will help, but here are the latest steps and the outcome:

Since I need the shutdown command to restart the server occasionally, I decided for now to have it available to everyone.  So, I went to group policy management and changed the option to Disable for Remove Access to the Shutdown Command in the Default Domain Policy.
That did not bring back the command for user Administrator, so I went to the security tab in the properties of the Default Domain Policy and removed the user Administrator (which had had the Deny box checked).  
Removing Administrator from the security tab brought the shutdown command back for Administrator.
So it seems the Deny box has an effect if the No Access to Shutdown is disabled, but no effect if the No Access to Shutdown is enabled.
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 250 total points
Comment Utility
Another way is you can create create batch files to restart the system

Create batch file call with this content shutdown -f -r

The above command will restart system.
0
 

Author Comment

by:a1electric
Comment Utility
Oh, thanks, I think I'll use that :)
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now