Disable Shutdown for TS but not Locally

[hambo12]

I have a small problem with Group Policy that I cant seem to work out.

Basically I have 50 or so logins, and those logins are used for local machines and also for Terminal Server logins.
What I want to do is allow shutdown for the local computers, but remove the shutdown option for the terminal sessions.

Is this possible to do? i.e is there a terminal services setting to say 'disable shutdown', which doesnt disable it for the local logins?

 

[petrosky]

Hi there,

Check the following.

Security Settings\Local policies\User Rights Assignment\Shut Down the System

Regards,

Peter.

Remember- It's nice to be important,
but it's important to be nice

 

[hambo12]

Thanks for the info, however I dont think that will work.

E.G I have a user 'test'.

I want test to be able to shutdown their local system, but not have shutdown on their TS sessions.

By adding the user to the restricted list of 'Shut down the system' the user would not be able to shut down anything, TS or local system...

 

[petrosky]

Hmm...looks like you are correct...I did find this though?

Q: How can I prevent my users from shutting down the Terminal Server?
Last modified: June 17, 2007

A: If your users can shutdown the Terminal Server, they are members of the Administrator group.
If that's the case, there is no way to prevent them from shutting down the server (and they will be able to do far more serious damage than merely shutting it down!).

You can remove the Shutdown option from the Start Menu with a Group Policy, but this is only a cosmetic change. Normal users will *not* be able to actually shutdown the server, even if they see the option, and Administrators *will* be able to shutdown the server, even if they don't see the option.

Are all your remote users local admins?

Remember- It's nice to be important,
but it's important to be nice

 

[pgaliardo]

As long as the users are not memebers of the Administrators group on the terminal server, you should be OK. You can also set the local security policy on the terminal server itself, that should not affect the user shutting down their local machine and will prvent them from shutting down the terminal server. Additionally, do a search on "locking down terminal server" to set up policies to remove the shutdown button, disable right click, disable registry editing tools, etc.

 

[bluelinenetworks]

Question: Are they logging into their Desktop PC's which arent actually a terminal server but rather an XP box?

 

[hambo12]

Hi thanks for the info. I am actually trying to make sense of what was setup before I started, so it is possible the users are setup as admins and that is why they have shutdown rights on TS.

To answer bluelinenetworks question, they are logging in locally on their XP boxes, and also logging onto TS sessions through their local logins...

 

[Roadki11]

I would google loopback processing.

http://www.google.com/search?hl=en&q=loopback+processing

Checkout the first link.



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[Dublin73]

create an OU in Active Directory. Put all of your terminal servers into this OU.

Apply a GPO to this OU. Within the GPO set all of your computer AND user settings, including shutdown access etc..

see Microsoft article here...

http://support.microsoft.com/kb/260370

The most noteable part of the article (which Roadki11 references) is the following

"Use the Group Policy loopback feature to apply User Configuration GPO settings to users only when they log on to the Terminal Servers. When GPO Loopback processing is enabled for the computers in an OU that contains only Terminal Servers, those computers apply the User Configuration settings from the set of GPOs that apply to that OU."