Solved

Windows Server 2003 - User Shutdown option

Posted on 2012-03-21
4
582 Views
Last Modified: 2012-03-21
How do I disable the ability for certain users/groups to shutdown the server while connected remotely?  I now have several users that connect to the server via VPN/RDP and I want to make sure that they cannot shutdown the server. I want to see Logoff or Disconnect options only.  

thank you
0
Comment
Question by:doctork11
  • 2
4 Comments
 
LVL 7

Expert Comment

by:Todar
Comment Utility
Prevent users from shutting down the computer
 

By default, members of the Users, Power Users, Backup Operators, and Administrators groups can shut down the computer. You can restrict this ability through group policies, applying the policy at the site, domain, organizational unit (OU), or local level. To set it at the local level, open the Local Security Policy console from the Administrative Tools folder. Open the Security Settings\ Local Policies\ User Rights Assignment branch. Double-click the policy Shut Down the System and clear the Local Policy Setting check box for those groups you don’t want shutting down the system. You can click Add to add other groups and grant them the ability to shut down the system, if needed.

You can also apply the group policy at higher levels. To apply it at the site level, open the Active Directory Sites and Services console on a domain controller. Right-click the site, choose Properties, and then click the Group Policy tab. Select (or create) a policy, click Edit, and open the Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ User Rights Assignment to locate the Shut Down the System policy. Use the Active Directory Users and Computers console to configure policies at the domain or OU levels.
0
 

Author Comment

by:doctork11
Comment Utility
I don't have this option: "and clear the Local Policy Setting check box for those groups you don’t want shutting down the system."

I just have a window with add/remove and Admins, Backup, Print, Server Operators, and SYSTEM in the window. There are only two of use as Admins, so I'm confused why other's can shutdown.
0
 
LVL 16

Accepted Solution

by:
Shaik M. Sajid earned 500 total points
Comment Utility
you can do this by group policy...

Via Group Policy in a Domain

log in to domain -  active directory users and computers - Domain - create a seperate OU - move all users to thea OU- right click the Ou (if it's windows2003) and edit Group policy and follow the steps..

in windows 2008   log on to domain - active directory users and computers - create a seperate OU and move remote users to that Ou-

then go to startup menu - administrative tools - group policy management - the rest of same procedure...


 For example to make the Shutdown button unavailable (usefull for me)

 1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 2. In the console, right-click your domain, and then click Properties.
 3. Click the Group Policy tab.
 4. In the Group Policy Object Links box, click the group policy for which you want to apply this setting. For example, click Remote Desktop Users Policy.
 5. Click Edit.
 6. Expand User Configuration, expand Administrative Templates, and then click Start Menu & Taskbar.
 7. In the right pane, double-click Disable and remove the Shut Down command.
 8. Click Enabled, and then click OK.
 9. Quit the Group Policy editor, and then click OK.

To remove the Run command from Start Menu and also prevent users from launching the Run dialog via pressing the Windows Key + R, apply the following Windows NT / Windows 2000 Registry hack :
 Hive: HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name:NoRun
Type: REG_DWORD
Value: 1



NoRun corresponds to the Remove Run menu from Start Menu Group Policy at:
User Configuration
AdministrativeTemplates
Start Menu & Taskbar



Don't forget to enforce policy. Automatically it takes from 5 minutes to 1 hour on client computers.
To force background processing of Group Policy settings, use the Secedit.exe tool. To do this:

 1. Click Start, and then click Run.
 2. In the Open box, type cmd, and then click OK.
 3. Type secedit /refreshpolicy user_policy, and then press ENTER.
 4. Type secedit /refreshpolicy machine_policy, and then press ENTER.
 5. Type exit, and then press ENTER to quit the command prompt.

all the best
0
 

Author Closing Comment

by:doctork11
Comment Utility
This was exactly what I needed. Thank you very much!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now