RE: how do I prevent power user from shutting down or rebooting a

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

There is no Domain Power Users Group, Power Users exist ONLY on stand alone
servers, domain member servers, stand alone client workstations and domain
member client workstations.

On top of this, it's highly recommended that you NOT run TS on a Domain
Controller. Is there a reason why you're running Active Directory on this
machine?
--
Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com


"dabbuhl1" wrote:

> Patrick,
>
> This is the case. What kind of user in this invironment would be the same
> as a power user?
>
> Dan Abbuhl
>
>
> "Patrick Rouse" wrote:
>
> > An Active Directory Domain Controller, which doesn't have local accounts.
> > --
> > Patrick Rouse
> > Microsoft MVP - Terminal Server
> > http://www.workthin.com
> >
> >
> > "dabbuhl1" wrote:
> >
> > > Patrick,
> > >
> > > what is a DC server?
> > >
> > > Dan Abbuhl
> > >
> > >
> > > "Patrick Rouse" wrote:
> > >
> > > > Perhaps you made the server a DC.
> > > > --
> > > > Patrick Rouse
> > > > Microsoft MVP - Terminal Server
> > > > http://www.workthin.com
> > > >
> > > >
> > > > "dabbuhl1" wrote:
> > > >
> > > > > Patrick,
> > > > >
> > > > > We had a hard drive failure so we are reinstalling server2003. We have
> > > > > action pack so we have installed 2003 server Enterprise. I don't see the
> > > > > same power user listed in the groups of users. What would be the equivalent
> > > > > in this version?
> > > > >
> > > > > Dan Abbuhl
> > > > >
> > > > > "Patrick Rouse" wrote:
> > > > >
> > > > > > What I recommend is what I always do when setting up a new TS:
> > > > > >
> > > > > > 1. Clean install (or image install) of the OS.
> > > > > > 2. Install TS
> > > > > > 3. Lock down file system (C Root - Administrators & System = Full Control,
> > > > > > Authenticated users = Read & Execute, same for Program Files Folder, remove
> > > > > > Power Users from the ACLs on these directories)
> > > > > > 4. Image server (using Ghost or other imaging program)
> > > > > > 5. Create default user profile by logging on with a non-admin account,
> > > > > > making all settings you want as default, logoff, logon as administrator and
> > > > > > use the system control panel user profiles applet to copy this profile to
> > > > > > \Documents and Settings\Default User.
> > > > > > 6. Change User /Install - Install Application 1 (follow any manufacturer
> > > > > > specific app install instructions if they don not require you to alter
> > > > > > system-wide security)
> > > > > > 7. Launch Application as administrator
> > > > > > 8. Change user /execute
> > > > > > 9. Image Server again
> > > > > > 10. Test application as a non-administrator
> > > > > > 11. Use regmon & filemon to monitor access denied errors when application
> > > > > > is launched, so youi know where allowances need to be made to get your
> > > > > > application to work for non-admins.
> > > > > > 12. When app is working, image again.
> > > > > > 13. Repeat 6-12 for each application to be installed
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Patrick Rouse
> > > > > > Microsoft MVP - Terminal Server
> > > > > > http://www.workthin.com
> > > > > >
> > > > > >
> > > > > > "dabbuhl1" wrote:
> > > > > >
> > > > > > > Patrick,
> > > > > > >
> > > > > > > Again, thanks for your time and advice. What do you recommend then? I need
> > > > > > > full functionality for Quickbooks, but that is all. I don't want users to
> > > > > > > use anything else. On of the things that Intuit said is that functions like
> > > > > > > emailing invoices and possible printing to the users local machine or printer
> > > > > > > would not work. I set a user under the profile templete of user and added
> > > > > > > remote desktop profile to it and it seamed fine. What do you recommend?
> > > > > > >
> > > > > > > Dan Abbuhl
> > > > > > >
> > > > > > > "Patrick Rouse" wrote:
> > > > > > >
> > > > > > > > You could do this, but I can't reccomend it. Intuit says this because they
> > > > > > > > don't want to tell users to alter the security on files and registry keys
> > > > > > > > (thus it's easier for them)
> > > > > > > >
> > > > > > > > --
> > > > > > > > Patrick Rouse
> > > > > > > > Microsoft MVP - Terminal Server
> > > > > > > > http://www.workthin.com
> > > > > > > >
> > > > > > > >
> > > > > > > > "dabbuhl1" wrote:
> > > > > > > >
> > > > > > > > > Patrick,
> > > > > > > > >
> > > > > > > > > Thanks for your help. From what you have said in the past, it would be
> > > > > > > > > better if the users were not power users. I asked quick books about this and
> > > > > > > > > they said that power user setting is required because other users would not
> > > > > > > > > get full use of the product as a mobil or user profile. In the user right
> > > > > > > > > assignment section that you linked to, could I set most user right
> > > > > > > > > assignments to administrators only? Would this work to allow power users to
> > > > > > > > > only access quick books, which is the only thing I want them to do.
> > > > > > > > >
> > > > > > > > > Dan Abbuhl
> > > > > > > > > Interlink
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > "Patrick Rouse" wrote:
> > > > > > > > >
> > > > > > > > > > The following is taken from a 2003 Server:
> > > > > > > > > >
> > > > > > > > > > http://www.workthin.com/images/ShutDownTheSystem.bmp
> > > > > > > > > > --
> > > > > > > > > > Patrick Rouse
> > > > > > > > > > Microsoft MVP - Terminal Server
> > > > > > > > > > http://www.workthin.com
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > "dabbuhl1" wrote:
> > > > > > > > > >
> > > > > > > > > > > Patrick,
> > > > > > > > > > >
> > > > > > > > > > > I cant find the exact point by point way you stated here. It almost looks
> > > > > > > > > > > like you were showing me how to do this in server 2000. I was able to find a
> > > > > > > > > > > user right assignments and the shut down section which was undefined. I
> > > > > > > > > > > placed administrators in the box and still power users can reboot the
> > > > > > > > > > > computer. There is no settings > control panel from the start button.
> > > > > > > > > > >
> > > > > > > > > > > Please help.
> > > > > > > > > > >
> > > > > > > > > > > Dan Abbuhl
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > "Patrick Rouse" wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Honestly, you shouldn't be messing with a production Terminal Server if you
> > > > > > > > > > > > aren't familiar with these, however, you can go to Start -> Settings ->
> > > > > > > > > > > > Control Panel -> Administrative Tools -> Local Security Policy -> Local
> > > > > > > > > > > > Policies -> User rights assignment -> Shut down the system -> Remove "Power
> > > > > > > > > > > > Users".
> > > > > > > > > > > >
> > > > > > > > > > > > I highly recommend that you do all of this in a test environment, before
> > > > > > > > > > > > production. Are your non-admins/power users members of the Remote Desktop
> > > > > > > > > > > > Users Group (2003), or have user permission to the RDP-tcp connection in
> > > > > > > > > > > > tscc.msc (2000).
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > > Patrick Rouse
> > > > > > > > > > > > Microsoft MVP - Terminal Server
> > > > > > > > > > > > http://www.workthin.com
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > "dabbuhl1" wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Patrick,
> > > > > > > > > > > > >
> > > > > > > > > > > > > I can not get any other user to connect via terminal service except for
> > > > > > > > > > > > > power user and administrator. Am I doing something wrong? I have tried to
> > > > > > > > > > > > > test both user and mobil profiles but get the error:
> > > > > > > > > > > > >
> > > > > > > > > > > > > The local policy of this system does not permit you to login interactively.
> > > > > > > > > > > > >
> > > > > > > > > > > > > I'm not shur where to set the policy of the local system to allow
> > > > > > > > > > > > > interactively login. I'm not sure where you remove the permission on shut
> > > > > > > > > > > > > down and reboot for the power user.
> > > > > > > > > > > > >
> > > > > > > > > > > > > What other things would the power user be able to do that I may want to
> > > > > > > > > > > > > disable?
> > > > > > > > > > > > >
> > > > > > > > > > > > > Dan Abbuhl
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > "Patrick Rouse" wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > I didn't mention anything about user profiles, just that it's possible to use
> > > > > > > > > > > > > > QB without users having to be members of the Power Users Group. I also
> > > > > > > > > > > > > > mentioned that you can remove the power users group from the "Shut down the
> > > > > > > > > > > > > > system" right in the local security policy, or via GPO.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Power users get access to all kinds of things, so this is NOT a good solution.
> > > > > > > > > > > > > > --
> > > > > > > > > > > > > > Patrick Rouse
> > > > > > > > > > > > > > Microsoft MVP - Terminal Server
> > > > > > > > > > > > > > http://www.workthin.com
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > "dabbuhl1" wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > I tried to setup a user under the "user" and "mobil" profile but I can not
> > > > > > > > > > > > > > > log into the terminal server with that user setting. How do I go about
> > > > > > > > > > > > > > > taking away the right to shut down or reboot from the "power user" group? I
> > > > > > > > > > > > > > > only want them to access the Quick Books program, nothing else. How can I
> > > > > > > > > > > > > > > allow a user to log into the terminal server and only allow them access to QB?
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > "Patrick Rouse" wrote:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > I believe it's possible to run QB without being a power user. Check the
> > > > > > > > > > > > > > > > following info in Vera Noest's Site:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > http://ts.veranoest.net/ts_apps_qb.htm
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > You can remove the power users group from the "Shut down the system" right,
> > > > > > > > > > > > > > > > via Group Policy or local security policy, however removing users from the
> > > > > > > > > > > > > > > > power users group is the best solution, because power users can do workse
> > > > > > > > > > > > > > > > things to your server than shut it off.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > --
> > > > > > > > > > > > > > > > Patrick Rouse
> > > > > > > > > > > > > > > > Microsoft MVP - Terminal Server
> > > > > > > > > > > > > > > > http://www.workthin.com
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > "dabbuhl1" wrote:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > I am running Windows Server 2003 with terminal services. I use this to allow
> > > > > > > > > > > > > > > > > users to run Quick Books from our remote stores. This allows our 4 stores to
> > > > > > > > > > > > > > > > > access inventory and post payments from any of our retail stores easily. The
> > > > > > > > > > > > > > > > > problem is, everyone that connects via terminal services has to be a power
> > > > > > > > > > > > > > > > > user to access the Quick books program. I have tested this out of curiosity
> > > > > > > > > > > > > > > > > and forsee a problem down the line. Any user that logs in can reboot or shut
> > > > > > > > > > > > > > > > > down the server. How do I prevent or disallow this?
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
.

Quantcast