Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

remote shut down of machines

Posted on 2013-01-21
7
Medium Priority
?
289 Views
Last Modified: 2013-01-25
Hi there,
Running server 2008 R2 domain, with window 7 prof clients.  Many users came today complaingint that someone is remotely shutting their machines down.  What can be safely set into the AD so that no one can shutdown my client machines.
THanks
0
Comment
Question by:amanzoor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 1

Assisted Solution

by:cgitek
cgitek earned 400 total points
ID: 38801651
Ok so you will need to look here first and create your GPO. I believe this is the same for W7.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/539.mspx?mfr=true

You will also want to make sure you change the local Administrator password or disable local logons again using GPO to prohibit someone using a local account to reboot the workstation.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 38801657
I would make sure this setting is set at a domain level GPO and not on the local GPO
0
 
LVL 4

Author Comment

by:amanzoor
ID: 38815799
My domain level and domain controller level GPOs are all fine, the problem I have found is that on all these laptops, the users belong to a group called 'student' and this groups has been added to the local administrators group.  I think this is the reason they can shut down each others machines.  If I remove this groups from the local administrators group then these users cannot install any apps, or software.  What can I do?  help
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 27

Accepted Solution

by:
Jason Watkins earned 1600 total points
ID: 38815894
In the domain or local GPO you can control exactly which users can or cannot shutdown the computer.

Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignments \ Shut down the system

Change this to be only one group or user and you will be all-set.
0
 
LVL 1

Expert Comment

by:cgitek
ID: 38817004
Just create a special group and make the actual administrator account the only member of that group...assign using the above method I and Firebar mentioned and you're done.
0
 
LVL 4

Author Comment

by:amanzoor
ID: 38817300
firebar and cgitek,
By putting assigning these GPO settings, will the laptop users will be able to shut their own machines down or no?  As a rule they should be able to shut down their own laptops and not anyone else?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 38818462
To do what you have described, a local GPO would have to be used. On each machine, simply add the user who should be able to shut down the computer, to the GPO.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question