PapaSmurff
asked on
Disable/Prevent Remote Shutdown -i Command
I need to prevent access to ONLY the remote shutdown command for windows 7 machines through group policy.
I'm having an issue with an employee remotely shutting other user systems. The command prompt is disable but I believe it is being ran through Visual Basic 2012.
Thanks Experts!
I'm having an issue with an employee remotely shutting other user systems. The command prompt is disable but I believe it is being ran through Visual Basic 2012.
Thanks Experts!
ASKER
In that scenario users can't shut down their own system correct? This is just for Remote shutdown using the shutdown -i command.
Thanks.
Thanks.
Do the offending users have admin rights ??
ASKER
No, he doesn't.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Interesting, I definitely know he doesn't have network administrator rights. I will look into local admin rights and get back to you ASAP. Thanks!
edit a domain-wide policy to restrict users from running specific Windows programs: 1.Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2.Right-click your domain, and then click Properties.
3.Click the Group Policy tab.
4.In the Group Policy Object Links box, click the group policy to which you want to apply this setting. For example, click Default Domain Policy.
5.Click Edit.
6.Expand User Configuration, expand Administrative Templates, and then expand System.
7.In the right pane, double-click Don't run specified Windows applications.
8.Click Enabled, and then click Show.
9.Click Add, and then type the executable file name of the program that you want to restrict users from running. For example, type iexplore.exe.
10.Click OK, click OK, and then click OK.
11.Quit Group Policy Object Editor, and then click OK.
Also in system you could prevent access to the command prompt if you so choose.
2.Right-click your domain, and then click Properties.
3.Click the Group Policy tab.
4.In the Group Policy Object Links box, click the group policy to which you want to apply this setting. For example, click Default Domain Policy.
5.Click Edit.
6.Expand User Configuration, expand Administrative Templates, and then expand System.
7.In the right pane, double-click Don't run specified Windows applications.
8.Click Enabled, and then click Show.
9.Click Add, and then type the executable file name of the program that you want to restrict users from running. For example, type iexplore.exe.
10.Click OK, click OK, and then click OK.
11.Quit Group Policy Object Editor, and then click OK.
Also in system you could prevent access to the command prompt if you so choose.
ASKER
Thanks tmoore but if I prevent access to the shutdown command then no one can shutdown.
Any more feedback for mine?
ASKER
Sorry McKnife, I've been off for the last 2 weeks. I did find a localadmin.bat that was tied to a staff computer OU and disabled it. Please see below. Does this make any since to you? This must of been in place for a while because I didn't created this:
DomainName="hcrhs"
Set oShell = WScript.CreateObject("WScr ipt.Shell" )
Set oProcsEnv = oShell.Environment("Proces s")
ComputerName = oProcsEnv("COMPUTERNAME")
Set oGroup = GetObject("WinNT://" & ComputerName & "/" & "Administrators")
If Not oGroup.IsMember("WinNT://" &hcrhs&"/L ocal_Admin ") Then _
oGroup.Add ("WinNT://"&hcrhs&"/Local_ Admin")
pause
pause
Thanks!
DomainName="hcrhs"
Set oShell = WScript.CreateObject("WScr
Set oProcsEnv = oShell.Environment("Proces
ComputerName = oProcsEnv("COMPUTERNAME")
Set oGroup = GetObject("WinNT://" & ComputerName & "/" & "Administrators")
If Not oGroup.IsMember("WinNT://"
oGroup.Add ("WinNT://"&hcrhs&"/Local_
pause
pause
Thanks!
Take your time and answer all questions, I had many.
About the script: what group is local_admin? A domain group? If so, who's in there?
About the script: what group is local_admin? A domain group? If so, who's in there?
ASKER
Thanks. Everyone and it was set under a computer OU that had a good amount of PC's but not all. It's disabled now and I'm going to assume that's why he had assess to remotely reset? Thanks for your help McKnife!
Your script adds the group members of local_admin to the local administrator group of the computers where it gets executed on. So if everyone is member of local_admin, then everyone is local admin on all computers the script runs on...so he will be able to access $-shares from remote, do remote shutdown and much more. You need to undo that.
ASKER
Thanks again!
In group policy
http://technet.microsoft.com/en-us/library/cc759478%28v=ws.10%29.aspx