Disable user shutdown of TS Server (2003)

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello,

I've been looking at Group Policy settings to make it so that users do not
have the option to shut down the Terminal Server but administrators do.
Could anyone let me know exactly how to set that up? So far everything I've
tried has resulted in both administrators and users not having the 'shut
down' command visible next to the 'log off' command. Thank you.
 
Hello,

Thanks for the quick reply!

I checked out that article and got part of the way there, but we're running
Windows Server 2003 (couldn't find the newsgroup for that and Terminal
Services although I tried) and the Terminal Server doesn't have Active
Directory installed. The domain controller does, but it's a separate server.
Should Active Directory be installed on the Terminal Server in order for
those changes to be made possible?

Thank you!
 
No, it should work if your Terminal server is a member of a domain
(not a standalone server in a workgroup).

Why doesn't this work for you? You do see the Security tab under
the properties of the GPO, do you? What exactly is the problem in
applying this?

Regarding newsgroups: there is no newsgroup especially for 2003
TS. Microsoft tries to get rid of the OS-specific newsgroups. The
TS newsgroup with the most traffic nowadays is
microsoft.public.windows.terminal_services, but it's no big deal
where you post.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
 
Hi again,

Ok, then there must be something missing. The reason I ask about AD is
because when following the directions in KB315675 it says I should get to
Group Policy from AD. I go to Start, Programs and then Administrative Tools
but Active Directory Users & Computers doesn't show up at all. This Terminal
Server is joined to a domain.

I can get to Group Policy when reviewing next steps for the Terminal Server
and then configuring server settings, but I don't seem to be able to get
Properties on a group policy object. That's about where I'm stuck.

Thanks for the clarification on the OS/newsgroups thing --
 
Have you tried to configure the GPO from a different server in the
domain, maybe the DC? Does it work then?

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
 
Actually, think I may have found the solution just now and it has partly to
do with that. Found KB816100 which is specific to Server 2003 (although not
all that different). I did as you said, edited the GPO from a domain
controller and, using the instructions in KB292655, set it to Deny
application of the Group Policy to Domain admins.

Then created a custom.mmc on the Terminal Server, adding the Group Policy
snap-in. I set it to edit the Default Domain Policy rather than a local
policy.

From there I went to Users Configuration, Administrative Templates, Start
Menu and Taskbar, and from there enabled 'Remove and Prevent Access to the
Shutdown Command".

Now I see I probably could have made those changes to the GPO from the
Terminal Server at the beginning if I'd done it via snap-in on the MMC in the
first place. I tested to see if this all works by logging in as a regular
user (no shutdown command available) and then as an admin (shutdown
available), so it seems to be working. Thanks for the tips! They helped a
lot.
 
OK, I'm glad you solved it, and thanks for reporting back here!
I'll add KB 816100 to my website, might help someone else as well.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
 
Hi Vera,

Thank you. Unfortunately, something slightly unexpected happened (although
I wondered if this might happen): the changes propagated throughout the
domain, so everyone's computer lost its shutdown button. Whoops! I thought
that might happened if I configured the domain policy.

I added a snap-in for GPO to the MMC, this time for Local Computer Policy
rather than Default Domain Policy, hoping I could make the same changes as
before, just to the local computer, and have them work. If I get Properties
on Default Domain Policy it does have a Security tab where I can specify
permissions on applying Group Policy, but when I go to Local Computer Policy
and get Properties there is no Security tab, just a General tab. Any ideas
on what I could do to get it working correctly (i.e. make sure Group Policy
does not apply to Administrators on the local machine/Terminal Server)?

Thank you!
 
What you have to do is put the Terminal server in a separate OU,
and then create a TS-specific GPO with the "remove shutdown
button" setting and all other settings that you want to apply to
TS sessions. Link you TS GPO to this TS OU and configure the GPO
with "Loopback processing" and the "Replace" option".

260370 - How to Apply Group Policy Objects to Terminal Services
Servers
http://support.microsoft.com/?kbid=260370

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
 
Back
Top