Solved

How to disable shutdown -i via group policy

Posted on 2014-10-10
13
284 Views
Last Modified: 2014-10-23
We've been having an issue where computers have been logged off or shutdown randomly. I thought it might be shutdown - i but command prompt is disabled. However, we figured out that a student was using visual pro to open command prompt then do a shutdown -i command to remotely mess with machines.

I see there's a way to disable remote shut off via the local security policy, but I haven't been able to locate it in gp.
Thanks for your help!
0
Comment
Question by:PapaSmurff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
13 Comments
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40373782
It's under  User Configuration > Administrative Templates > Start Menu & Taskbar > Remove And Prevent Access To Shut Down Command.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40373814
Try disabling access to the command prompt via Group Policy.

This is located under User Configuration\Administrative Templates\System

Does the student have any elevated privileges?
0
 

Author Comment

by:PapaSmurff
ID: 40373836
Dstewartjr - that will remove shutdown from the Start menu. I don't want the shutdown -i command to run.

Command Prompt is disabled via group policy. The students are apparently able to get into a visual pro command prompt and then run the: shutdown - i command

Students are pretty locked down.
Thanks.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 13

Expert Comment

by:Rizzle
ID: 40373887
Hi,

Another way to stop a user/student shutting down a machine remotely would be to amend the Security Policy (User Rights Assignment) via GPO to only enable certain people to shutdown machines.

Mylocalsecpol
Then when you have found the option double click on it and remove yourdomain.co.uk\user-name or user
0
 

Author Comment

by:PapaSmurff
ID: 40376791
Thanks Roshan Ejaz. Not familiar with how to set that up. Can you provide any helpful links?
Thanks again!
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40376798
Hopefully this link can help you

http://technet.microsoft.com/en-us/library/dd277307.aspx

If it doesn't help let me know and i will post a step by step on how to do it in my test lab.
0
 

Author Comment

by:PapaSmurff
ID: 40377241
Thanks again Roshan Ejaz.  I don't know where to start with that link.. Yeah a step by step would be great!
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40377291
Log onto the Domain Controller as an administrator/Domain Admin > Open Group Policy Management Console > Ensure the machines which you don't want to be shut down are located within a different OU > Create a new policy and link it here > Open Computer Config > Windows Settings > Security Settings > User Rights Assignment > Select the option Shut Down the system > Activate this policy and then put in there who you want to allow the shut down the system right to.

Once applied restart the target PC, log on as a standard user to test and see if you can shutdown the machine.

I'm not sure about the log off option because I think that would be the minimal required. Lets cross that bridge when we come to it.
0
 

Author Comment

by:PapaSmurff
ID: 40384972
My apologies its been a crazy week. I'll try this and respond when I get a chance to test it out. Thanks a lot!
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40384977
No problem :)
0
 

Author Comment

by:PapaSmurff
ID: 40396938
Hey Roshan,
 I attempted this this morning, however, I couldn't locate "user rights assignment" in gp. Also, is seems then students wouldn't be able to shutdown any machines. I would like to disable the remote shutdown feature.
Thanks,
Ron
0
 
LVL 13

Accepted Solution

by:
Rizzle earned 500 total points
ID: 40397782
the only way to disable remote shutdown would be to ensure they don't have access to shutdown machines, this is defined in the User Rights Assignments.

Below is a screenshot of my test lab with the policy highlighted.

Also this will ensure only certain people can shutdown the systems you apply the policy to.

User Rights Assignment
0
 

Author Comment

by:PapaSmurff
ID: 40399035
Thanks Roshan. Unfortunately, I'm not going to block access for a local shutdown. Kinda surprised there isn't a remote shutdown option. Thanks again, Ron
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question