?
Solved

how to prevent users from shutting down other win7 computers on network

Posted on 2011-10-28
14
Medium Priority
?
284 Views
Last Modified: 2012-05-12
We have about 600 user laptops used on a server 2008 domain.  Users all have local admin rights to their computers.  We have a few students running the "shutdown -i" command and typing in another computer name to shut it down.  Is there a regedit or something that I can run in order to disable this?  Thanks.
0
Comment
Question by:krusebr
  • 6
  • 4
  • 3
  • +1
14 Comments
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 37046928
You could create a unique group in the domain for each computer, putting the 'admins' for that computer in each group. Put the domain group in the local administrators group so each 'admin' is only admin on 1 computer.

How did you give them local admin rights btw?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37046959
You have bigger problems if they have local admin rights!
0
 

Author Comment

by:krusebr
ID: 37046983
not sure what you are telling me to do with the different groups...
We are a 1:1 school and all students are local admins of their laptops.  This is to allow for installing software and maintenance of their computer while they have it in the classroom and at home. Teachers will have students download and install apps, etc.  
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 66

Expert Comment

by:johnb6767
ID: 37047047
I would look at "Deny access to this computer from the network" in the Local Security Policy, l unless there is a massive need to share files across the systems.....
0
 

Author Comment

by:krusebr
ID: 37047278
I just looked at the local security policy settings and found none that would "deny access...."
windows 7 pro
0
 

Author Comment

by:krusebr
ID: 37047366
I see it under local policies\user rights assignment\ access this computer from the network
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 37047451
Deny access to this computer from the network

This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.

Default: Guest

If you put in the group "Students" (example), they should be denied when trying to use a share/Admin$ share, or a remote utility.........
0
 

Author Comment

by:krusebr
ID: 37047476
Ok, I made this change to one of the student computers setting next to me.  I removed all users from this policy (users, everyone, and administrators).  Restarted the computer and tried the shutdown -i command from another computer and the change prevented me from restarting the computer.  However, what else have I prevented from working by making this change?  I can still see it in the network neighborhood and my lanschool software continues to work with the computer.  Thanks.
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 37047521
Setting a local policy though SECPOL.MSC, navigate to Local Policies, User Rights Assignment and set the 'Force Shutdown From A Remote Machine' policy.
0
 

Author Comment

by:krusebr
ID: 37047536
johnb6767:  thanks for helping
I made the change to "access this computer from the network" under "user rights assignment"
Do you recommend that I change this setting back to the default and instead add the student groups to the "deny access to this computer from the network" under "user rights assignment"?
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 2000 total points
ID: 37047552
It only prevents access to Network Resources, to the members listed in the policy. It doesn't prevent the machines from being visible via the "My Network Places".  I would leave it as a test on a handful of machines for now, to make sure there are no repercussions.
0
 

Author Comment

by:krusebr
ID: 37047938
what would the registry setting be that i push out to these student computers?
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 37050205
@krusebr - who are you asking? johnb6767 or me?

In case you want to set a policy for 'Force Shutdown From A Remote Machine' - you'd have to set a domain admin (group) in there.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 37051815
Either way, it would be in your domain policies.....

"Force shutdown from a remote system"

Forgot that one was there. :-)
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
In this article, we’ll look at how to deploy ProxySQL.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
Suggested Courses
Course of the Month8 days, 19 hours left to enroll

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question