RE: how do I prevent power user from shutting down or rebooting a

You could do this, but I can't reccomend it. Intuit says this because they
don't want to tell users to alter the security on files and registry keys
(thus it's easier for them)

--
Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com


"dabbuhl1" wrote:

> Patrick,
>
> Thanks for your help. From what you have said in the past, it would be
> better if the users were not power users. I asked quick books about this and
> they said that power user setting is required because other users would not
> get full use of the product as a mobil or user profile. In the user right
> assignment section that you linked to, could I set most user right
> assignments to administrators only? Would this work to allow power users to
> only access quick books, which is the only thing I want them to do.
>
> Dan Abbuhl
> Interlink
>
>
> "Patrick Rouse" wrote:
>
> > The following is taken from a 2003 Server:
> >
> > http://www.workthin.com/images/ShutDownTheSystem.bmp
> > --
> > Patrick Rouse
> > Microsoft MVP - Terminal Server
> > http://www.workthin.com
> >
> >
> > "dabbuhl1" wrote:
> >
> > > Patrick,
> > >
> > > I cant find the exact point by point way you stated here. It almost looks
> > > like you were showing me how to do this in server 2000. I was able to find a
> > > user right assignments and the shut down section which was undefined. I
> > > placed administrators in the box and still power users can reboot the
> > > computer. There is no settings > control panel from the start button.
> > >
> > > Please help.
> > >
> > > Dan Abbuhl
> > >
> > >
> > > "Patrick Rouse" wrote:
> > >
> > > > Honestly, you shouldn't be messing with a production Terminal Server if you
> > > > aren't familiar with these, however, you can go to Start -> Settings ->
> > > > Control Panel -> Administrative Tools -> Local Security Policy -> Local
> > > > Policies -> User rights assignment -> Shut down the system -> Remove "Power
> > > > Users".
> > > >
> > > > I highly recommend that you do all of this in a test environment, before
> > > > production. Are your non-admins/power users members of the Remote Desktop
> > > > Users Group (2003), or have user permission to the RDP-tcp connection in
> > > > tscc.msc (2000).
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Patrick Rouse
> > > > Microsoft MVP - Terminal Server
> > > > http://www.workthin.com
> > > >
> > > >
> > > > "dabbuhl1" wrote:
> > > >
> > > > > Patrick,
> > > > >
> > > > > I can not get any other user to connect via terminal service except for
> > > > > power user and administrator. Am I doing something wrong? I have tried to
> > > > > test both user and mobil profiles but get the error:
> > > > >
> > > > > The local policy of this system does not permit you to login interactively.
> > > > >
> > > > > I'm not shur where to set the policy of the local system to allow
> > > > > interactively login. I'm not sure where you remove the permission on shut
> > > > > down and reboot for the power user.
> > > > >
> > > > > What other things would the power user be able to do that I may want to
> > > > > disable?
> > > > >
> > > > > Dan Abbuhl
> > > > >
> > > > >
> > > > >
> > > > > "Patrick Rouse" wrote:
> > > > >
> > > > > > I didn't mention anything about user profiles, just that it's possible to use
> > > > > > QB without users having to be members of the Power Users Group. I also
> > > > > > mentioned that you can remove the power users group from the "Shut down the
> > > > > > system" right in the local security policy, or via GPO.
> > > > > >
> > > > > > Power users get access to all kinds of things, so this is NOT a good solution.
> > > > > > --
> > > > > > Patrick Rouse
> > > > > > Microsoft MVP - Terminal Server
> > > > > > http://www.workthin.com
> > > > > >
> > > > > >
> > > > > > "dabbuhl1" wrote:
> > > > > >
> > > > > > > I tried to setup a user under the "user" and "mobil" profile but I can not
> > > > > > > log into the terminal server with that user setting. How do I go about
> > > > > > > taking away the right to shut down or reboot from the "power user" group? I
> > > > > > > only want them to access the Quick Books program, nothing else. How can I
> > > > > > > allow a user to log into the terminal server and only allow them access to QB?
> > > > > > >
> > > > > > > "Patrick Rouse" wrote:
> > > > > > >
> > > > > > > > I believe it's possible to run QB without being a power user. Check the
> > > > > > > > following info in Vera Noest's Site:
> > > > > > > >
> > > > > > > > http://ts.veranoest.net/ts_apps_qb.htm
> > > > > > > >
> > > > > > > > You can remove the power users group from the "Shut down the system" right,
> > > > > > > > via Group Policy or local security policy, however removing users from the
> > > > > > > > power users group is the best solution, because power users can do workse
> > > > > > > > things to your server than shut it off.
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Patrick Rouse
> > > > > > > > Microsoft MVP - Terminal Server
> > > > > > > > http://www.workthin.com
> > > > > > > >
> > > > > > > >
> > > > > > > > "dabbuhl1" wrote:
> > > > > > > >
> > > > > > > > > I am running Windows Server 2003 with terminal services. I use this to allow
> > > > > > > > > users to run Quick Books from our remote stores. This allows our 4 stores to
> > > > > > > > > access inventory and post payments from any of our retail stores easily. The
> > > > > > > > > problem is, everyone that connects via terminal services has to be a power
> > > > > > > > > user to access the Quick books program. I have tested this out of curiosity
> > > > > > > > > and forsee a problem down the line. Any user that logs in can reboot or shut
> > > > > > > > > down the server. How do I prevent or disallow this?
> > > > > > > > >
> > > > > > > > >
.