Solved

Disable/Prevent Remote Shutdown -i Command

Posted on 2014-12-19
14
1,638 Views
Last Modified: 2015-01-05
I need to prevent access to ONLY the remote shutdown command for windows 7 machines through group policy.

I'm having an issue with an employee remotely shutting other user systems. The command prompt is disable but I believe it is being ran through Visual Basic 2012.

Thanks Experts!
0
Comment
Question by:PapaSmurff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2
  • +1
14 Comments
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40509546
Modify the setting "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment: Shut down the system"

In group policy

http://technet.microsoft.com/en-us/library/cc759478%28v=ws.10%29.aspx
0
 

Author Comment

by:PapaSmurff
ID: 40509550
In that scenario users can't shut down their own system correct? This is just for Remote shutdown using the shutdown -i command.
Thanks.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 40509606
Do the offending users have admin rights ??
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:PapaSmurff
ID: 40509638
No, he doesn't.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40509682
Remote shutdown is not possible without admin rights on the remote machine. So double check that, also check groups nested in the local admin group of the remote system - definitely a misconfiguration.
There's also a policy to be checked: "force shutdown from a remote system" which is a privilege that only administrators hold by default, maybe someone misconfigured that.
Also ask yourself if your firewalls should permit this. Normally, only administrative workstations may have network access to other workstations at all.
0
 

Author Comment

by:PapaSmurff
ID: 40509707
Interesting, I definitely know he doesn't have network administrator rights. I will look into local admin rights and get back to you ASAP. Thanks!
0
 
LVL 10

Expert Comment

by:tmoore1962
ID: 40509712
edit a domain-wide policy to restrict users from running specific Windows programs: 1.Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2.Right-click your domain, and then click Properties.
3.Click the Group Policy tab.
4.In the Group Policy Object Links box, click the group policy to which you want to apply this setting. For example, click Default Domain Policy.
5.Click Edit.
6.Expand User Configuration, expand Administrative Templates, and then expand System.
7.In the right pane, double-click Don't run specified Windows applications.
8.Click Enabled, and then click Show.
9.Click Add, and then type the executable file name of the program that you want to restrict users from running. For example, type iexplore.exe.
10.Click OK, click OK, and then click OK.
11.Quit Group Policy Object Editor, and then click OK.

Also in system you could prevent access to the command prompt if you so choose.
0
 

Author Comment

by:PapaSmurff
ID: 40531235
Thanks tmoore but if I prevent access to the shutdown command then no one can shutdown.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40531257
Any more feedback for mine?
0
 

Author Comment

by:PapaSmurff
ID: 40531268
Sorry McKnife, I've been off for the last 2 weeks. I did find a localadmin.bat that was tied to a staff computer OU and disabled it. Please see below. Does this make any since to you? This must of been in place for a while because I didn't created this:

DomainName="hcrhs"
Set oShell = WScript.CreateObject("WScript.Shell")
Set oProcsEnv = oShell.Environment("Process")
ComputerName = oProcsEnv("COMPUTERNAME")
Set oGroup = GetObject("WinNT://" & ComputerName & "/" & "Administrators")
If Not oGroup.IsMember("WinNT://"&hcrhs&"/Local_Admin") Then _
    oGroup.Add ("WinNT://"&hcrhs&"/Local_Admin")

pause
pause


Thanks!
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40531282
Take your time and answer all questions, I had many.
About the script: what group is local_admin? A domain group? If so, who's in there?
0
 

Author Comment

by:PapaSmurff
ID: 40531308
Thanks. Everyone and it was set under a computer OU that had a good amount of PC's but not all. It's disabled now and I'm going to assume that's why he had assess to remotely reset? Thanks for your help McKnife!
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40531327
Your script adds the group members of local_admin to the local administrator group of the computers where it gets executed on. So if everyone is member of local_admin, then everyone is local admin on all computers the script runs on...so he will be able to access $-shares from remote, do remote shutdown and much more. You need to undo that.
0
 

Author Comment

by:PapaSmurff
ID: 40531347
Thanks again!
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question