?
Solved

Remote access restrictions

Posted on 2014-03-10
7
Medium Priority
?
256 Views
Last Modified: 2014-03-12
I have a Group Policy Question.

Here is my situation.

I have a remote desktop server that a few users login remotely to use a quoting custom built SQL database.

We don't have the remote users to be able to shutdown the server by going to start > shutdown or restart

My questions has two parts I guess:  

1) How is this done through a group policy.
2) Can we use the same account for the users so they don't lose the capability of  shutting down THEIR computers at the office OR do I need two separate AD accounts; one for their computer and one for remote access where they can't shut the servers down?

Servers are running Windows 2008 R2. Computers are all windows 7 Pro.
0
Comment
Question by:Anthony H.
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 5

Assisted Solution

by:Joe Jenkins
Joe Jenkins earned 1000 total points
ID: 39919612
If I understand your question, you want to make sure the user cannot shutdown the server but CAN shutdown their own machines.

- Create an OU for your RDP Server and put that computer into that OU.
- Create a GPO that contains the following settings and assign it to that OU:

GPO Settings:
- User Configuration/Policies/Admin Templates/Start menu and taskbar/
   Add Logoff to the Start Menu - Set to Enabled

- User Configuration - Administrative Templates - Start Menus and Taskbar
  "Remove and prevent access to the shutdown command" - Set to Enabled.


As for the business logic, we have a security group for RDP users and they login with their normal AD user credentials.   We apply some additional GPOs and other settings to them as well.  That would be how I would do it (and currently do it).

I do not recommend using a shared account for end users under any circumstances.
0
 

Author Comment

by:Anthony H.
ID: 39919630
you mean MOVE that computer (server) to that OU?
0
 
LVL 5

Expert Comment

by:Joe Jenkins
ID: 39919647
Yes, move would be more specific. Make sure to apply any additional GPO to that new OU before moving the server so all other currently applied GPOs to that server stay applied when you move it.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:Anthony H.
ID: 39919653
Thank you. I will try it and get back to you. thanks again, I appreciate your help.
0
 
LVL 5

Expert Comment

by:Joe Jenkins
ID: 39919656
I look forward to hearing from you.
0
 
LVL 11

Accepted Solution

by:
Manjunath Sullad earned 1000 total points
ID: 39919955
If its only one server,

You can disable Shutdown from below path

Start --> Run --> Secpol.msc -->

Security Settings --> Local Policies --> User Rights Assignment-->

Shutdown the System --> Remove the user ID's or Security group except Administrators


If you have multiple servers, You can push this through GPO.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39924257
Users may not shutdown servers by default. If your users were indeed able to do this, the defaults were modified intentionally or your users are nested in the admin group.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question