Re: Disable user shutdown of TS Server (2003)

From: AJWS (AJWS_at_discussions.microsoft.com)
Date: 10/21/04 

Date: Thu, 21 Oct 2004 12:19:06 -0700

Hi Vera,

Thank you. Unfortunately, something slightly unexpected happened (although
I wondered if this might happen): the changes propagated throughout the
domain, so everyone's computer lost its shutdown button. Whoops! I thought
that might happened if I configured the domain policy.

I added a snap-in for GPO to the MMC, this time for Local Computer Policy
rather than Default Domain Policy, hoping I could make the same changes as
before, just to the local computer, and have them work. If I get Properties
on Default Domain Policy it does have a Security tab where I can specify
permissions on applying Group Policy, but when I go to Local Computer Policy
and get Properties there is no Security tab, just a General tab. Any ideas
on what I could do to get it working correctly (i.e. make sure Group Policy
does not apply to Administrators on the local machine/Terminal Server)?

Thank you!

"Vera Noest [MVP]" wrote:

> OK, I'm glad you solved it, and thanks for reporting back here!
> I'll add KB 816100 to my website, might help someone else as well.
>
> --
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> --- please respond in newsgroup, NOT by private email ---
>
> "=?Utf-8?B?QUpXUw==?=" <AJWS@discussions.microsoft.com> wrote on
> 20 okt 2004 in microsoft.public.win2000.termserv.apps:
>
> > Actually, think I may have found the solution just now and it
> > has partly to do with that. Found KB816100 which is specific to
> > Server 2003 (although not all that different). I did as you
> > said, edited the GPO from a domain controller and, using the
> > instructions in KB292655, set it to Deny application of the
> > Group Policy to Domain admins.
> >
> > Then created a custom.mmc on the Terminal Server, adding the
> > Group Policy snap-in. I set it to edit the Default Domain
> > Policy rather than a local policy.
> >
> > From there I went to Users Configuration, Administrative
> > Templates, Start Menu and Taskbar, and from there enabled
> > 'Remove and Prevent Access to the Shutdown Command".
> >
> > Now I see I probably could have made those changes to the GPO
> > from the Terminal Server at the beginning if I'd done it via
> > snap-in on the MMC in the first place. I tested to see if this
> > all works by logging in as a regular user (no shutdown command
> > available) and then as an admin (shutdown available), so it
> > seems to be working. Thanks for the tips! They helped a lot.
> >
> >
> >
> > "Vera Noest [MVP]" wrote:
> >
> >> Have you tried to configure the GPO from a different server in
> >> the domain, maybe the DC? Does it work then?
> >>
> >> --
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> http://hem.fyristorg.com/vera/IT
> >> --- please respond in newsgroup, NOT by private email ---
> >>
> >> "=?Utf-8?B?QUpXUw==?=" <AJWS@discussions.microsoft.com> wrote
> >> on 19 okt 2004 in microsoft.public.win2000.termserv.apps:
> >>
> >> > Hi again,
> >> >
> >> > Ok, then there must be something missing. The reason I ask
> >> > about AD is because when following the directions in KB315675
> >> > it says I should get to Group Policy from AD. I go to Start,
> >> > Programs and then Administrative Tools but Active Directory
> >> > Users & Computers doesn't show up at all. This Terminal
> >> > Server is joined to a domain.
> >> >
> >> > I can get to Group Policy when reviewing next steps for the
> >> > Terminal Server and then configuring server settings, but I
> >> > don't seem to be able to get Properties on a group policy
> >> > object. That's about where I'm stuck.
> >> >
> >> > Thanks for the clarification on the OS/newsgroups thing --
> >> >
> >> >
> >> >
> >> > "Vera Noest [MVP]" wrote:
> >> >
> >> >> No, it should work if your Terminal server is a member of a
> >> >> domain (not a standalone server in a workgroup).
> >> >>
> >> >> Why doesn't this work for you? You do see the Security tab
> >> >> under the properties of the GPO, do you? What exactly is the
> >> >> problem in applying this?
> >> >>
> >> >> Regarding newsgroups: there is no newsgroup especially for
> >> >> 2003 TS. Microsoft tries to get rid of the OS-specific
> >> >> newsgroups. The TS newsgroup with the most traffic nowadays
> >> >> is microsoft.public.windows.terminal_services, but it's no
> >> >> big deal where you post.
> >> >>
> >> >> --
> >> >> Vera Noest
> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> >> http://hem.fyristorg.com/vera/IT
> >> >> --- please respond in newsgroup, NOT by private email ---
> >> >>
> >> >> "=?Utf-8?B?QUpXUw==?=" <AJWS@discussions.microsoft.com>
> >> >> wrote on 19 okt 2004 in
> >> >> microsoft.public.win2000.termserv.apps:
> >> >>
> >> >> > Hello,
> >> >> >
> >> >> > Thanks for the quick reply!
> >> >> >
> >> >> > I checked out that article and got part of the way there,
> >> >> > but we're running Windows Server 2003 (couldn't find the
> >> >> > newsgroup for that and Terminal Services although I tried)
> >> >> > and the Terminal Server doesn't have Active Directory
> >> >> > installed. The domain controller does, but it's a
> >> >> > separate server.
> >> >> > Should Active Directory be installed on the Terminal
> >> >> > Server in order for
> >> >> > those changes to be made possible?
> >> >> >
> >> >> > Thank you!
> >> >> >
> >> >> >
> >> >> >
> >> >> > "Vera Noest [MVP]" wrote:
> >> >> >
> >> >> >> Have you tried to configure "Deny" to the right to "Apply
> >> >> >> this policy" for Administrators?
> >> >> >>
> >> >> >> 315675 - HOW TO: Keep Domain Group Policies from Applying
> >> >> >> to Administrator Accounts and Selected Users in Windows
> >> >> >> 2000 http://support.microsoft.com/?kbid=315675
> >> >> >>
> >> >> >> --
> >> >> >> Vera Noest
> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> >> >> http://hem.fyristorg.com/vera/IT
> >> >> >> --- please respond in newsgroup, NOT by private email
> >> >> >> ---
> >> >> >>
> >> >> >> "=?Utf-8?B?QUpXUw==?=" <AJWS@discussions.microsoft.com>
> >> >> >> wrote on 18 okt 2004 in
> >> >> >> microsoft.public.win2000.termserv.apps:
> >> >> >>
> >> >> >> > Hello,
> >> >> >> >
> >> >> >> > I've been looking at Group Policy settings to make it
> >> >> >> > so that users do not have the option to shut down the
> >> >> >> > Terminal Server but administrators do. Could anyone
> >> >> >> > let me know exactly how to set that up? So far
> >> >> >> > everything I've tried has resulted in both
> >> >> >> > administrators and users not having the 'shut down'
> >> >> >> > command visible next to the 'log off' command. Thank
> >> >> >> > you.
>

Loading