Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to disable shutdown -i via group policy

Posted on 2014-10-10
13
Medium Priority
?
307 Views
Last Modified: 2014-10-23
We've been having an issue where computers have been logged off or shutdown randomly. I thought it might be shutdown - i but command prompt is disabled. However, we figured out that a student was using visual pro to open command prompt then do a shutdown -i command to remotely mess with machines.

I see there's a way to disable remote shut off via the local security policy, but I haven't been able to locate it in gp.
Thanks for your help!
0
Comment
Question by:PapaSmurff
  • 6
  • 6
13 Comments
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40373782
It's under  User Configuration > Administrative Templates > Start Menu & Taskbar > Remove And Prevent Access To Shut Down Command.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40373814
Try disabling access to the command prompt via Group Policy.

This is located under User Configuration\Administrative Templates\System

Does the student have any elevated privileges?
0
 

Author Comment

by:PapaSmurff
ID: 40373836
Dstewartjr - that will remove shutdown from the Start menu. I don't want the shutdown -i command to run.

Command Prompt is disabled via group policy. The students are apparently able to get into a visual pro command prompt and then run the: shutdown - i command

Students are pretty locked down.
Thanks.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 13

Expert Comment

by:Rizzle
ID: 40373887
Hi,

Another way to stop a user/student shutting down a machine remotely would be to amend the Security Policy (User Rights Assignment) via GPO to only enable certain people to shutdown machines.

Mylocalsecpol
Then when you have found the option double click on it and remove yourdomain.co.uk\user-name or user
0
 

Author Comment

by:PapaSmurff
ID: 40376791
Thanks Roshan Ejaz. Not familiar with how to set that up. Can you provide any helpful links?
Thanks again!
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40376798
Hopefully this link can help you

http://technet.microsoft.com/en-us/library/dd277307.aspx

If it doesn't help let me know and i will post a step by step on how to do it in my test lab.
0
 

Author Comment

by:PapaSmurff
ID: 40377241
Thanks again Roshan Ejaz.  I don't know where to start with that link.. Yeah a step by step would be great!
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40377291
Log onto the Domain Controller as an administrator/Domain Admin > Open Group Policy Management Console > Ensure the machines which you don't want to be shut down are located within a different OU > Create a new policy and link it here > Open Computer Config > Windows Settings > Security Settings > User Rights Assignment > Select the option Shut Down the system > Activate this policy and then put in there who you want to allow the shut down the system right to.

Once applied restart the target PC, log on as a standard user to test and see if you can shutdown the machine.

I'm not sure about the log off option because I think that would be the minimal required. Lets cross that bridge when we come to it.
0
 

Author Comment

by:PapaSmurff
ID: 40384972
My apologies its been a crazy week. I'll try this and respond when I get a chance to test it out. Thanks a lot!
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40384977
No problem :)
0
 

Author Comment

by:PapaSmurff
ID: 40396938
Hey Roshan,
 I attempted this this morning, however, I couldn't locate "user rights assignment" in gp. Also, is seems then students wouldn't be able to shutdown any machines. I would like to disable the remote shutdown feature.
Thanks,
Ron
0
 
LVL 13

Accepted Solution

by:
Rizzle earned 2000 total points
ID: 40397782
the only way to disable remote shutdown would be to ensure they don't have access to shutdown machines, this is defined in the User Rights Assignments.

Below is a screenshot of my test lab with the policy highlighted.

Also this will ensure only certain people can shutdown the systems you apply the policy to.

User Rights Assignment
0
 

Author Comment

by:PapaSmurff
ID: 40399035
Thanks Roshan. Unfortunately, I'm not going to block access for a local shutdown. Kinda surprised there isn't a remote shutdown option. Thanks again, Ron
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question