Solved

Windows Server 2003 - User Shutdown option

Posted on 2012-03-21
4
590 Views
Last Modified: 2012-03-21
How do I disable the ability for certain users/groups to shutdown the server while connected remotely?  I now have several users that connect to the server via VPN/RDP and I want to make sure that they cannot shutdown the server. I want to see Logoff or Disconnect options only.  

thank you
0
Comment
Question by:doctork11
  • 2
4 Comments
 
LVL 7

Expert Comment

by:larry urban
ID: 37749785
Prevent users from shutting down the computer
 

By default, members of the Users, Power Users, Backup Operators, and Administrators groups can shut down the computer. You can restrict this ability through group policies, applying the policy at the site, domain, organizational unit (OU), or local level. To set it at the local level, open the Local Security Policy console from the Administrative Tools folder. Open the Security Settings\ Local Policies\ User Rights Assignment branch. Double-click the policy Shut Down the System and clear the Local Policy Setting check box for those groups you don’t want shutting down the system. You can click Add to add other groups and grant them the ability to shut down the system, if needed.

You can also apply the group policy at higher levels. To apply it at the site level, open the Active Directory Sites and Services console on a domain controller. Right-click the site, choose Properties, and then click the Group Policy tab. Select (or create) a policy, click Edit, and open the Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ User Rights Assignment to locate the Shut Down the System policy. Use the Active Directory Users and Computers console to configure policies at the domain or OU levels.
0
 

Author Comment

by:doctork11
ID: 37749933
I don't have this option: "and clear the Local Policy Setting check box for those groups you don’t want shutting down the system."

I just have a window with add/remove and Admins, Backup, Print, Server Operators, and SYSTEM in the window. There are only two of use as Admins, so I'm confused why other's can shutdown.
0
 
LVL 16

Accepted Solution

by:
Shaik M. Sajid earned 500 total points
ID: 37750009
you can do this by group policy...

Via Group Policy in a Domain

log in to domain -  active directory users and computers - Domain - create a seperate OU - move all users to thea OU- right click the Ou (if it's windows2003) and edit Group policy and follow the steps..

in windows 2008   log on to domain - active directory users and computers - create a seperate OU and move remote users to that Ou-

then go to startup menu - administrative tools - group policy management - the rest of same procedure...


 For example to make the Shutdown button unavailable (usefull for me)

 1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 2. In the console, right-click your domain, and then click Properties.
 3. Click the Group Policy tab.
 4. In the Group Policy Object Links box, click the group policy for which you want to apply this setting. For example, click Remote Desktop Users Policy.
 5. Click Edit.
 6. Expand User Configuration, expand Administrative Templates, and then click Start Menu & Taskbar.
 7. In the right pane, double-click Disable and remove the Shut Down command.
 8. Click Enabled, and then click OK.
 9. Quit the Group Policy editor, and then click OK.

To remove the Run command from Start Menu and also prevent users from launching the Run dialog via pressing the Windows Key + R, apply the following Windows NT / Windows 2000 Registry hack :
 Hive: HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name:NoRun
Type: REG_DWORD
Value: 1



NoRun corresponds to the Remove Run menu from Start Menu Group Policy at:
User Configuration
AdministrativeTemplates
Start Menu & Taskbar



Don't forget to enforce policy. Automatically it takes from 5 minutes to 1 hour on client computers.
To force background processing of Group Policy settings, use the Secedit.exe tool. To do this:

 1. Click Start, and then click Run.
 2. In the Open box, type cmd, and then click OK.
 3. Type secedit /refreshpolicy user_policy, and then press ENTER.
 4. Type secedit /refreshpolicy machine_policy, and then press ENTER.
 5. Type exit, and then press ENTER to quit the command prompt.

all the best
0
 

Author Closing Comment

by:doctork11
ID: 37750108
This was exactly what I needed. Thank you very much!
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question