• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 265
  • Last Modified:

Remote access restrictions

I have a Group Policy Question.

Here is my situation.

I have a remote desktop server that a few users login remotely to use a quoting custom built SQL database.

We don't have the remote users to be able to shutdown the server by going to start > shutdown or restart

My questions has two parts I guess:  

1) How is this done through a group policy.
2) Can we use the same account for the users so they don't lose the capability of  shutting down THEIR computers at the office OR do I need two separate AD accounts; one for their computer and one for remote access where they can't shut the servers down?

Servers are running Windows 2008 R2. Computers are all windows 7 Pro.
0
Anthony H.
Asked:
Anthony H.
2 Solutions
 
Joe JenkinsCommented:
If I understand your question, you want to make sure the user cannot shutdown the server but CAN shutdown their own machines.

- Create an OU for your RDP Server and put that computer into that OU.
- Create a GPO that contains the following settings and assign it to that OU:

GPO Settings:
- User Configuration/Policies/Admin Templates/Start menu and taskbar/
   Add Logoff to the Start Menu - Set to Enabled

- User Configuration - Administrative Templates - Start Menus and Taskbar
  "Remove and prevent access to the shutdown command" - Set to Enabled.


As for the business logic, we have a security group for RDP users and they login with their normal AD user credentials.   We apply some additional GPOs and other settings to them as well.  That would be how I would do it (and currently do it).

I do not recommend using a shared account for end users under any circumstances.
0
 
Anthony H.Author Commented:
you mean MOVE that computer (server) to that OU?
0
 
Joe JenkinsCommented:
Yes, move would be more specific. Make sure to apply any additional GPO to that new OU before moving the server so all other currently applied GPOs to that server stay applied when you move it.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Anthony H.Author Commented:
Thank you. I will try it and get back to you. thanks again, I appreciate your help.
0
 
Joe JenkinsCommented:
I look forward to hearing from you.
0
 
Manjunath SulladTechnical ConsultantCommented:
If its only one server,

You can disable Shutdown from below path

Start --> Run --> Secpol.msc -->

Security Settings --> Local Policies --> User Rights Assignment-->

Shutdown the System --> Remove the user ID's or Security group except Administrators


If you have multiple servers, You can push this through GPO.
0
 
McKnifeCommented:
Users may not shutdown servers by default. If your users were indeed able to do this, the defaults were modified intentionally or your users are nested in the admin group.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now