How do I prevent limited users from restarting the system?

[Usalabs1]

I use winxp pro with 3 accounts (not including the default admin account), 1 has admin rights and the other 2 have limited rights, is there a way to prevent limited accounts from restarting the system? I know it's somewhere in one of the policy settings, but I don't know where.

As it stands at the moment, a limited account user, can click on 'Start->Turn off computer->restart' then click 'yes' on the 'other users are logged on' warning to continue restarting.

 

[linney]

See if removing users from this policy helps.

Shut down the system.

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Description.

Determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command.

Default:

Workstations and servers: Administrators, Backup Operators, Power Users, Users.

 

[Usalabs1]

The above policy settings doesn't work, limited accounts can still shutdown or restart the system using 'Start->Turn off computer->[restart or shutdown]' then just click on 'Yes' when the 'Other users are still logged on, clicking yes, will disconnect the users and continue to restart/shutdown' dialog box.

What I'm looking for, is a way to remove the logoff and shutdown commands from the start menu, on limited accounts only, I found it under 'Group policies' but it affects all accounts, limited or otherwise, in other words, my account (admin) will show the shutdown and logoff on the start menu, limited accounts will not show the shutdown and logoff commands, and not be able to click on 'Turn off computer' in the welcome screen after pressing 'Windows key + L'

 

[gpalmer711]

You can remove certain users from being affected by group policy by removing permissions for that user from the Group Policy folder.

There is nothing you can alter about the Computer Configuration side of Group Policy because it loads when the system boots. There just simply isn't any opportunity to specify breaking it apart into different users or groups. What that means is when you set a policy in the Computer Configuration section of Local Group Policy it's going to apply to the entire computer -- everyone -- that uses the machine. No exceptions.

In the User Configuration section of Local Group Policy we have a bit more latitude since the Registry.pol is 'read' when the user logs into the system, and that delayed 'read' is the key. By altering Read permissions on the Group Policy folder it's possible to divide the User Configuration portion of Local Group Policy into two distinct groups of users;

Users that are affected by the settings in Local Group Policy User Configuration.
Users that are not affected by the settings in Local Group Policy User Configuration.
Use the following steps to separate the users or groups into the two categories.

Institute the policies you want for Local Group Policy - User Configuration.
Navigate to C:\Windows\System32\GroupPolicy folder, right click and select Properties.
Click the Security tab on the GroupPolicy Properties dialog box. (Fig. 07)
Highlight the Group or Username that you want to exclude from being affected by the User Configuration part of Local Group Policy.
In the Permissions section, change the Read permission from Allow to Deny.
Click Allow. Click OK.

In the example above, Administrators was selected and the Read permission changed to Deny. Selecting Administrators automatically includes Admin #1 and Admin #2, making them able to run Messenger while User #1 and User #2 are prohibited by Group Policy from running Messenger. It's certainly possible to create new groups using Computer Management to organize the machine users, and using the Add and Remove buttons in Fig. 07 they can be controlled for Group Policy purposes. Still, unless you move to a server product and use Active Directory, this workaround is limited to the User Configuration section of Local Group Policy and it only provides an On/Off function because of the one Local Group Policy object limitation.

Source

http://www.theeldergeek.com/gp07.htm

Greg Palmer
Free Software for Adminstrators

http://www.palmersoft.co.uk

 

[gpalmer711]

I should also have mentioned that you will also need to set a different policy as the tweak above does not cover the Computer Configuration Part of Group Policy.

In gpedit.msc take a look at User Configuration > Administrative Templates > Start Menu and Task Bar

In here there are options for removing Shutdown etc..

Greg Palmer
Free Software for Adminstrators

http://www.palmersoft.co.uk

 

[linney]

How are you going to stop them pulling the plug?

Maybe you could look at the access permissions on Shutdown.exe in the System32 folder, or move it somewhere you only have access to it, or something along those lines?

http://searchvb.techtarget.com/tip/1,289483,sid8_gci843038,00.html

293655 - How to apply local policies to all users except administrators in a workgroup setting in

Windows 2000

http://support.microsoft.com/default.aspx?scid=kb;en-us;293655&FR=1&PA=1&SD=HSCH

325351 - HOW TO: Apply Local Policies to All Users Except Administrators on Windows Server

2003 in a Workgroup Setting

http://support.microsoft.com/default.aspx?scid=kb;en-us;325351&FR=1&PA=1&SD=HSCH

http://www.theeldergeek.com/gp07.htm

XP User Accounts & Restrictions - Help Required
thread779-877059

292504 - Policy Settings for the Start Menu in Windows XP

http://support.microsoft.com/default.aspx?scid=kb;en-us;292504&FR=1&PA=1&SD=HSCH