remote shut down of machines

Hi there,
Running server 2008 R2 domain, with window 7 prof clients.  Many users came today complaingint that someone is remotely shutting their machines down.  What can be safely set into the AD so that no one can shutdown my client machines.
THanks
LVL 5
amanzoorNetwork infrastructure AdminAsked:
Who is Participating?
 
Jason WatkinsConnect With a Mentor IT Project LeaderCommented:
In the domain or local GPO you can control exactly which users can or cannot shutdown the computer.

Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignments \ Shut down the system

Change this to be only one group or user and you will be all-set.
0
 
cgitekConnect With a Mentor Commented:
Ok so you will need to look here first and create your GPO. I believe this is the same for W7.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/539.mspx?mfr=true

You will also want to make sure you change the local Administrator password or disable local logons again using GPO to prohibit someone using a local account to reboot the workstation.
0
 
Jason WatkinsIT Project LeaderCommented:
I would make sure this setting is set at a domain level GPO and not on the local GPO
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
amanzoorNetwork infrastructure AdminAuthor Commented:
My domain level and domain controller level GPOs are all fine, the problem I have found is that on all these laptops, the users belong to a group called 'student' and this groups has been added to the local administrators group.  I think this is the reason they can shut down each others machines.  If I remove this groups from the local administrators group then these users cannot install any apps, or software.  What can I do?  help
0
 
cgitekCommented:
Just create a special group and make the actual administrator account the only member of that group...assign using the above method I and Firebar mentioned and you're done.
0
 
amanzoorNetwork infrastructure AdminAuthor Commented:
firebar and cgitek,
By putting assigning these GPO settings, will the laptop users will be able to shut their own machines down or no?  As a rule they should be able to shut down their own laptops and not anyone else?
0
 
Jason WatkinsIT Project LeaderCommented:
To do what you have described, a local GPO would have to be used. On each machine, simply add the user who should be able to shut down the computer, to the GPO.
0
All Courses

From novice to tech pro — start learning today.