Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Assigning group policies

Posted on 2011-03-04
34
Medium Priority
?
693 Views
Last Modified: 2012-05-11
I want to prevent most, but not all, users using terminal services from having access to the shutdown command on the start menu.

I can enable this restriction in the group policy editor for everyone, but I want administrator and one other user to have the access.
So far I have tried creating a new container in the active directory, named NoShutdown.  I then moved one user into that container and assigned the container the "Disable access to the shutdown command" enabled.
But that user still has the shutdown command on his start menu.

Can anyone walk me through how to give this restriction to some users but not to others?

Thanks
0
Comment
Question by:a1electric
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 19
  • 15
34 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35038058
0
 

Author Comment

by:a1electric
ID: 35038784
The intro states: "apply specific settings to users based not on their user account’s location in Active Directory, but rather on the location of the Terminal Server Computer Object"

There is only one server here.  Should I move the server out of the Domain Controllers OU and put it in a new one called Terminal Services?
0
 

Author Comment

by:a1electric
ID: 35039058
Before going forward with the loopback idea, I tried what seemed like a more straightforward way after reading this post: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23742159.html
However, the one user I have tested so far still has the shutdown button on his menu.

It makes sense to me, as the link above describes, to make a new OU, put the users in that you want to have the feature, and assign a group policy to that OU.  I have done this, by creating an OU named NoShutdown.  Then I moved in the users to that new OU that I wanted this to apply to.  Then, using the group policy management tool that I downloaded, I created a policy by enabling the "Restric access to shutdown" option.  But then logging in as a user that is in this new OU, the Shutdown button is still there.

At first I at least could apply the restriction to everyone or disable it for everyone when I wanted by using gpedit, but that no longer has any effect either.

I'm afraid I may have messed up the policies somewhere and get get them back to the beginning.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35039206
Is this a Domain Controller that is running Terminal Server?

Tell me exactly where you are going in GPO
0
 

Author Comment

by:a1electric
ID: 35039336
Yes, this is the only server - we are a very small company - , so it is the Domain Controller and it is running Terminal Server.

I open Group Policy Management, go to Group Policy Objects, right click the policy named NoShutdownOption and edit.

Then I click the plus sign next to Administrative Templates under User Configuration.
Next, I click Start Menu and Taskbar
Then I doubleclick Remove and Prevent Access to the Shutdown Commnad and disable it.

Then I sign in as a user that is in the NoShutdown OU where this policy is assigned, click the start button and find that the Shutdown command is still there - I want it to be gone for this and the other users in the NoShutdown OU.

0
 

Author Comment

by:a1electric
ID: 35039364
I meant to say that I ENable the Remove and Prevent Access to the Shutdown Command option
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35040106
Wow then this can be a little issue. Terminal Servers really shouldn't be running on a Domain Controller.

You need to enable remove shutdown button not disable
0
 

Author Comment

by:a1electric
ID: 35040249
Hmm, well, I've been running terminal services on this server for a couple of years now with no problem...the only difference now is that I wiped out the C drive and reinstalled the operating system.

Please see the attached screenshot that shows the options I have available for removing the Shutdown command (not configured, enable, and disable)
RemoveShutdown.png
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35040858
Apply at Domain Controller GPO level as well.
0
 

Author Comment

by:a1electric
ID: 35056335
Although I know applying at the Domain Controller level worked previously, it does not now.  I must have set something somewhere that messed things up.
I applied the policy to the Domain Controller GPO and logged in as a couple of different users, but the shutdown command is still there.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35057832
That should work if you have a gpo applying to users as well.

Try going to User Right Assignment in the GPO remove the users or Remote Desktop Group from Shutdown the system option
0
 

Author Comment

by:a1electric
ID: 35058856
Okay, I found out a clue - when I edit the Console1.msc default domain policy, the shutdown command is now gone.  All I need  now is to allow administrator and one other user to see the shutdown command.  How do I exclude these two users from the default domain policy configured in the Console1.msc?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35058876
You need to go to the Permissions tab of the GPO and Deny apply GPO to these users
0
 

Author Comment

by:a1electric
ID: 35059144
Not working yet, I opened up the Console1.msc, right-clicked on the default domain policy, went to properties, then security.  I added the two users that I want to have the shutdown command (Administrator and Ken), and clicked the box under "Deny" next to "Apply Group Policy".

But both of these users still do not have the shutdown command.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35059402
Did you run gpupdate /f? Or reboot?
0
 

Author Comment

by:a1electric
ID: 35059732
i did run gpudate /force - but the two users still have a shutdown command
0
 

Author Comment

by:a1electric
ID: 35059824
I meant do NOT have a shutdown command.
0
 

Author Comment

by:a1electric
ID: 35060326
Maybe I should start over, now that I've remembered about the Console1.msc.  I don't think I want to deny these two users the group policy, since part of the group policy allows them to use terminal services.
So the big picture is that all users are terminal service users, and all but two have the shutdown command removed.
What I don't get is how to divide these rights up.  If I use OUs, then how do I move all of the users into a "terminal services" group, but then have all but two users in a "no shutdown command" group?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35060865
if you want to distribute a GPO that you want different users to not be affected then you need to create a GPO just for this setting so you can then deny the users this is call Security Filtering
0
 

Author Comment

by:a1electric
ID: 35061942
Okay, I've gotten to where it finally at least made sense where everyone is denied access to the shutdown command.  Attached is the screenshot with as much info as I could get into one screen.  
What I tried to do was deny the administrators group the policy of being denied access to the shutdown command, so that the two users in the administrators group will have the shutdown command.

So I think the control of the shutdown button now rests only with the NoShutdown GPO, but I just need to exclude the administrators group from that policy.

thanks for the continued help
GPOsettings.png
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35061979
Looks like you have permissions right.

Are the Users part of any other Group by chance?
0
 

Author Comment

by:a1electric
ID: 35068857
They are members of Remote Desktop Users
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35069510
Are you applying GPO to this Group?
0
 

Author Comment

by:a1electric
ID: 35070773
No, there is no GPO applied to that group.  I'm wondering how the hierarchy works with GPOs.  I thought I could tell the Default Domain Policy to remove the shutdown command for all users, then make a separate GPO that allows the shutdown command and only include the administrators group in that GPO.  But that doesn't work.  It appears that the Default Domain Policy overrides any new GPO.  I will try making two separate GPOs, one for everyone to not have the shutdown command, and a second one for the administrators group to have the shutdown command.
Let me know of your thoughts.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35071027
You need to make the other GPO that gives users the shutdown higher in priority. But you shouldn't have to do this you should be able to create GPO DisableShutdown apply to Domain go to Security Deny Apply this group policy this is called gpo security filtering
0
 

Author Comment

by:a1electric
ID: 35071471
Well, I have now made two organizational units ''ShutdowCommand" and "NoShutdownCommand"  I have put the appropriate users in these containters, created GPOs for both and linked the GPO to the OU.  But it still  makes no difference - the only thing that makes a difference is to change the Default Domain Security policy.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35073290
Crap forgot you are running TS on your Domain Controller
0
 

Author Comment

by:a1electric
ID: 35073740
True, that is my only option, since this is the company's only server.  The policy regarding who had the shutdown command and who didn't was working fine for a year or so  until I re-installed the operating system.  Terminal services run fine, this goup policy stuff just isn't cooperating this time around.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35073781
So if you have GPO that is applied to the whole domain just for Shutdownremoved you add  the domain users group to this you then go to the security tab and deny those settings on the users this doesn't work?
0
 

Author Comment

by:a1electric
ID: 35074104
Don't think so - I believe I followed the couple of steps you just mentioned....The user Administrator had the shutdown command showing, then I opened Group Policy Management and edited the Default Domain Policy.  There I went to User Configuration / Administrative Templates / Start Menu and Taskbar and Enabled "Remove and Prevent Access to the Shutdown command".
I then ran gpupdate / force.  As it should, the Administrator's menu now does not show the Shutdown command.
Then in Group Policy Management main screen I highlighted Default Domain Policy on the left and added the group "Domain Users" on the right under Security Filtering.
I then edited the Default Domain Policy again, right-clicked and clicked on "properties".  On that screen I clicked the security tab and added Administrator.  Then I checked the "Deny" box next to Add Group Policy, then rand gpupdate /force again.
But, the shutdown command is still missing from the Administrator user's start menu.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35083435
I really think the issue is because of the Domain Controller.

I'm trying to remember maybe you can't security filter domain policy
0
 

Author Comment

by:a1electric
ID: 35095040
Don't know if this will help, but here are the latest steps and the outcome:

Since I need the shutdown command to restart the server occasionally, I decided for now to have it available to everyone.  So, I went to group policy management and changed the option to Disable for Remove Access to the Shutdown Command in the Default Domain Policy.
That did not bring back the command for user Administrator, so I went to the security tab in the properties of the Default Domain Policy and removed the user Administrator (which had had the Deny box checked).  
Removing Administrator from the security tab brought the shutdown command back for Administrator.
So it seems the Deny box has an effect if the No Access to Shutdown is disabled, but no effect if the No Access to Shutdown is enabled.
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 1000 total points
ID: 35097364
Another way is you can create create batch files to restart the system

Create batch file call with this content shutdown -f -r

The above command will restart system.
0
 

Author Comment

by:a1electric
ID: 35097626
Oh, thanks, I think I'll use that :)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question