remote shut down of machines

Hi there,
Running server 2008 R2 domain, with window 7 prof clients.  Many users came today complaingint that someone is remotely shutting their machines down.  What can be safely set into the AD so that no one can shutdown my client machines.
THanks
LVL 5
amanzoorNetwork infrastructure AdminAsked:
Who is Participating?
 
Jason WatkinsConnect With a Mentor IT Project LeaderCommented:
In the domain or local GPO you can control exactly which users can or cannot shutdown the computer.

Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignments \ Shut down the system

Change this to be only one group or user and you will be all-set.
0
 
cgitekConnect With a Mentor Commented:
Ok so you will need to look here first and create your GPO. I believe this is the same for W7.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/539.mspx?mfr=true

You will also want to make sure you change the local Administrator password or disable local logons again using GPO to prohibit someone using a local account to reboot the workstation.
0
 
Jason WatkinsIT Project LeaderCommented:
I would make sure this setting is set at a domain level GPO and not on the local GPO
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
amanzoorNetwork infrastructure AdminAuthor Commented:
My domain level and domain controller level GPOs are all fine, the problem I have found is that on all these laptops, the users belong to a group called 'student' and this groups has been added to the local administrators group.  I think this is the reason they can shut down each others machines.  If I remove this groups from the local administrators group then these users cannot install any apps, or software.  What can I do?  help
0
 
cgitekCommented:
Just create a special group and make the actual administrator account the only member of that group...assign using the above method I and Firebar mentioned and you're done.
0
 
amanzoorNetwork infrastructure AdminAuthor Commented:
firebar and cgitek,
By putting assigning these GPO settings, will the laptop users will be able to shut their own machines down or no?  As a rule they should be able to shut down their own laptops and not anyone else?
0
 
Jason WatkinsIT Project LeaderCommented:
To do what you have described, a local GPO would have to be used. On each machine, simply add the user who should be able to shut down the computer, to the GPO.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.