Guest JBradshaw Posted August 21, 2008 Posted August 21, 2008 A previous admin created a GPO setting that removed the shutdown option from the start menu of machines in various OUs. I am trying to do some testing on a machine using RDP, and for some reason, it, also, does not have a shut down option on the start menu. I need to be able to shutdown via RDP. I have scoured our GPO looking for where I can add this option. I have move the machine to its own OU and verified that User Configuration / Administrative Templates / Start Menu and Taskbar does NOT have the "Remove and Prevent Shut Down" option enabled. I have also used gpedit on the local machine to set this option to Disabled. I have rebooted the machine, and I have run gpupdate. But there is still no shut down option on my start menu. What am I missing?! Thanks.
Guest Soo Kuan Teo [MSFT] Posted August 21, 2008 Posted August 21, 2008 Re: Log Off, Disconnect, but no Shutdown What is the Windows version of Terminal Services are you running? -- This posting is provided "AS IS" with no warranties, and confers no rights. "JBradshaw" <jbradsha@dphilneas.nnn> wrote in message news:9aKdnZWQXcpzXTDVnZ2dnUVZ_qfinZ2d@posted.internetamerica... >A previous admin created a GPO setting that removed the shutdown option >from the start menu of machines in various OUs. > > I am trying to do some testing on a machine using RDP, and for some > reason, it, also, does not have a shut down option on the start menu. > > I need to be able to shutdown via RDP. I have scoured our GPO looking for > where I can add this option. I have move the machine to its own OU and > verified that User Configuration / Administrative Templates / Start Menu > and Taskbar does NOT have the "Remove and Prevent Shut Down" option > enabled. I have also used gpedit on the local machine to set this option > to Disabled. > > I have rebooted the machine, and I have run gpupdate. But there is still > no shut down option on my start menu. > > What am I missing?! Thanks. >
Guest Patrick Rouse Posted August 21, 2008 Posted August 21, 2008 Re: Log Off, Disconnect, but no Shutdown If you are using 2003 it is located at: User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down command This setting removes the Shut Down options from the Start menu and disables the Shut Down button on the Windows Security dialog box, which appears when you press CTRL+ALT+DEL. -- Patrick C. Rouse Microsoft MVP - Terminal Server SE, West Coast USA & Canada Quest Software, Provision Networks Division Virtual Client Solutions http://www.provisionnetworks.com "Soo Kuan Teo [MSFT]" wrote: > What is the Windows version of Terminal Services are you running? > > > -- > This posting is provided "AS IS" with no warranties, and confers no rights. > > "JBradshaw" <jbradsha@dphilneas.nnn> wrote in message > news:9aKdnZWQXcpzXTDVnZ2dnUVZ_qfinZ2d@posted.internetamerica... > >A previous admin created a GPO setting that removed the shutdown option > >from the start menu of machines in various OUs. > > > > I am trying to do some testing on a machine using RDP, and for some > > reason, it, also, does not have a shut down option on the start menu. > > > > I need to be able to shutdown via RDP. I have scoured our GPO looking for > > where I can add this option. I have move the machine to its own OU and > > verified that User Configuration / Administrative Templates / Start Menu > > and Taskbar does NOT have the "Remove and Prevent Shut Down" option > > enabled. I have also used gpedit on the local machine to set this option > > to Disabled. > > > > I have rebooted the machine, and I have run gpupdate. But there is still > > no shut down option on my start menu. > > > > What am I missing?! Thanks. > > > >
Guest Quch_IT Posted August 27, 2008 Posted August 27, 2008 Re: Log Off, Disconnect, but no Shutdown Hi, I'm also looking for removing shutdown option in GPO. In my case I would like to have it disabled only if users connection is a terminal connection - in interactive logon it must be available to the same user. Are there any option beside applying it with WMI filter in 2k3/2k8?? -- Quch_IT. Użytkownik "Patrick Rouse" <PatrickRouse@discussions.microsoft.com> napisał w wiadomości news:EDBECA02-F6B2-486E-B90F-7ECC29DFC382@microsoft.com... > If you are using 2003 it is located at: > > User Configuration\Administrative Templates\Start Menu and Taskbar\Remove > and prevent access to the Shut Down command > > This setting removes the Shut Down options from the Start menu and > disables > the Shut Down button on the Windows Security dialog box, which appears > when > you press CTRL+ALT+DEL. > > > -- > Patrick C. Rouse > Microsoft MVP - Terminal Server > SE, West Coast USA & Canada > Quest Software, Provision Networks Division > Virtual Client Solutions > http://www.provisionnetworks.com > > > "Soo Kuan Teo [MSFT]" wrote: > >> What is the Windows version of Terminal Services are you running? >> >> >> -- >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> >> "JBradshaw" <jbradsha@dphilneas.nnn> wrote in message >> news:9aKdnZWQXcpzXTDVnZ2dnUVZ_qfinZ2d@posted.internetamerica... >> >A previous admin created a GPO setting that removed the shutdown option >> >from the start menu of machines in various OUs. >> > >> > I am trying to do some testing on a machine using RDP, and for some >> > reason, it, also, does not have a shut down option on the start menu. >> > >> > I need to be able to shutdown via RDP. I have scoured our GPO looking >> > for >> > where I can add this option. I have move the machine to its own OU and >> > verified that User Configuration / Administrative Templates / Start >> > Menu >> > and Taskbar does NOT have the "Remove and Prevent Shut Down" option >> > enabled. I have also used gpedit on the local machine to set this >> > option >> > to Disabled. >> > >> > I have rebooted the machine, and I have run gpupdate. But there is >> > still >> > no shut down option on my start menu. >> > >> > What am I missing?! Thanks. >> > >> >>
Guest Patrick Rouse Posted August 28, 2008 Posted August 28, 2008 Re: Log Off, Disconnect, but no Shutdown The appropriate way to assign GPO settings to users "only" when they logon to a Terminal Server is as follows: 1. Create an OU to contain a set of Terminal Servers 2. Block Policy Inheritance on the OU (Properties -> Group Policy). This prevents settings from higher-up in AD from affecting your Terminal Servers. 3. Move the Terminal Server Computer Objects into the OU. Do NOT place User Accounts in this OU. 3. Create an Active Directory Security Group called “Terminal Servers” (or something similar that you’ll recognize) and add the Terminal Servers from this OU to this group. 5. Create a GPO called “TS Machine Policy” linked to the OU 6. Check “Disable User Configuration settings” on the GPO 7. Enable Loopback Policy Processing in the GPO 8. Edit the Security of the Policy so Apply Policy is set for “Authenticated Users” and the Security Group containing the Terminal Servers 9. Create additional GPOs linked to this OU for each user population, i.e. “TS Users”, “TS Administrators”. 10. Check “Disable Computer Configuration settings” on these GPO 11. Edit the Security on these User Configuration GPOs so Apply Policy is enabled for the target user population, and Deny Apply Policy is enabled for user to which the policy should not apply. With GPOs configured this way the Machine Policy applies to everyone that logs on to the Terminal Server (only the Computer Configuration Settings of the Machine Policy are processed) in addition to the appropriate User Configuration GPO (only the User Configuration portion of the GPO is processed) for the target user population. -- Patrick C. Rouse Microsoft MVP - Terminal Server Systems Consultant Quest Software, Provision Networks Division Virtual Client Solutions http://www.provisionnetworks.com "Quch_IT" wrote: > Hi, I'm also looking for removing shutdown option in GPO. > In my case I would like to have it disabled only if users connection is a > terminal connection - in interactive logon it must be available to the same > user. > Are there any option beside applying it with WMI filter in 2k3/2k8?? > > -- > > Quch_IT. > > Użytkownik "Patrick Rouse" <PatrickRouse@discussions.microsoft.com> napisał > w wiadomości news:EDBECA02-F6B2-486E-B90F-7ECC29DFC382@microsoft.com... > > If you are using 2003 it is located at: > > > > User Configuration\Administrative Templates\Start Menu and Taskbar\Remove > > and prevent access to the Shut Down command > > > > This setting removes the Shut Down options from the Start menu and > > disables > > the Shut Down button on the Windows Security dialog box, which appears > > when > > you press CTRL+ALT+DEL. > > > > > > -- > > Patrick C. Rouse > > Microsoft MVP - Terminal Server > > SE, West Coast USA & Canada > > Quest Software, Provision Networks Division > > Virtual Client Solutions > > http://www.provisionnetworks.com > > > > > > "Soo Kuan Teo [MSFT]" wrote: > > > >> What is the Windows version of Terminal Services are you running? > >> > >> > >> -- > >> This posting is provided "AS IS" with no warranties, and confers no > >> rights. > >> > >> "JBradshaw" <jbradsha@dphilneas.nnn> wrote in message > >> news:9aKdnZWQXcpzXTDVnZ2dnUVZ_qfinZ2d@posted.internetamerica... > >> >A previous admin created a GPO setting that removed the shutdown option > >> >from the start menu of machines in various OUs. > >> > > >> > I am trying to do some testing on a machine using RDP, and for some > >> > reason, it, also, does not have a shut down option on the start menu. > >> > > >> > I need to be able to shutdown via RDP. I have scoured our GPO looking > >> > for > >> > where I can add this option. I have move the machine to its own OU and > >> > verified that User Configuration / Administrative Templates / Start > >> > Menu > >> > and Taskbar does NOT have the "Remove and Prevent Shut Down" option > >> > enabled. I have also used gpedit on the local machine to set this > >> > option > >> > to Disabled. > >> > > >> > I have rebooted the machine, and I have run gpupdate. But there is > >> > still > >> > no shut down option on my start menu. > >> > > >> > What am I missing?! Thanks. > >> > > >> > >> >
Guest Quch_IT Posted August 28, 2008 Posted August 28, 2008 Re: Log Off, Disconnect, but no Shutdown Thanks for answer but does it works if the users ("TS Administrators") are the same users who are logging local and by a terminal? -- Quch_IT Użytkownik "Patrick Rouse" <PatrickRouse@discussions.microsoft.com> napisał w wiadomości news:21149EBC-BA0B-4851-9AFD-CB0007AD4EE9@microsoft.com... > The appropriate way to assign GPO settings to users "only" when they logon > to > a Terminal Server is as follows: > > 1. Create an OU to contain a set of Terminal Servers > > 2. Block Policy Inheritance on the OU (Properties -> Group Policy). This > prevents settings from higher-up in AD from affecting your Terminal > Servers. > > 3. Move the Terminal Server Computer Objects into the OU. Do NOT place > User > Accounts in this OU. > > 3. Create an Active Directory Security Group called “Terminal Servers” > (or > something similar that you’ll recognize) and add the Terminal Servers from > this OU to this group. > > 5. Create a GPO called “TS Machine Policy” linked to the OU > > 6. Check “Disable User Configuration settings” on the GPO > > 7. Enable Loopback Policy Processing in the GPO > > 8. Edit the Security of the Policy so Apply Policy is set for > “Authenticated Users” and the Security Group containing the Terminal > Servers > > 9. Create additional GPOs linked to this OU for each user population, > i.e. > “TS Users”, “TS Administrators”. > > 10. Check “Disable Computer Configuration settings” on these GPO > > 11. Edit the Security on these User Configuration GPOs so Apply Policy is > enabled for the target user population, and Deny Apply Policy is enabled > for > user to which the policy should not apply. > > With GPOs configured this way the Machine Policy applies to everyone that > logs on to the Terminal Server (only the Computer Configuration Settings > of > the Machine Policy are processed) in addition to the appropriate User > Configuration GPO (only the User Configuration portion of the GPO is > processed) for the target user population. > > > -- > Patrick C. Rouse > Microsoft MVP - Terminal Server > Systems Consultant > Quest Software, Provision Networks Division > Virtual Client Solutions > http://www.provisionnetworks.com > > > "Quch_IT" wrote: > >> Hi, I'm also looking for removing shutdown option in GPO. >> In my case I would like to have it disabled only if users connection is a >> terminal connection - in interactive logon it must be available to the >> same >> user. >> Are there any option beside applying it with WMI filter in 2k3/2k8?? >> >> -- >> >> Quch_IT. >> >> Użytkownik "Patrick Rouse" <PatrickRouse@discussions.microsoft.com> >> napisał >> w wiadomości news:EDBECA02-F6B2-486E-B90F-7ECC29DFC382@microsoft.com... >> > If you are using 2003 it is located at: >> > >> > User Configuration\Administrative Templates\Start Menu and >> > Taskbar\Remove >> > and prevent access to the Shut Down command >> > >> > This setting removes the Shut Down options from the Start menu and >> > disables >> > the Shut Down button on the Windows Security dialog box, which appears >> > when >> > you press CTRL+ALT+DEL. >> > >> > >> > -- >> > Patrick C. Rouse >> > Microsoft MVP - Terminal Server >> > SE, West Coast USA & Canada >> > Quest Software, Provision Networks Division >> > Virtual Client Solutions >> > http://www.provisionnetworks.com >> > >> > >> > "Soo Kuan Teo [MSFT]" wrote: >> > >> >> What is the Windows version of Terminal Services are you running? >> >> >> >> >> >> -- >> >> This posting is provided "AS IS" with no warranties, and confers no >> >> rights. >> >> >> >> "JBradshaw" <jbradsha@dphilneas.nnn> wrote in message >> >> news:9aKdnZWQXcpzXTDVnZ2dnUVZ_qfinZ2d@posted.internetamerica... >> >> >A previous admin created a GPO setting that removed the shutdown >> >> >option >> >> >from the start menu of machines in various OUs. >> >> > >> >> > I am trying to do some testing on a machine using RDP, and for some >> >> > reason, it, also, does not have a shut down option on the start >> >> > menu. >> >> > >> >> > I need to be able to shutdown via RDP. I have scoured our GPO >> >> > looking >> >> > for >> >> > where I can add this option. I have move the machine to its own OU >> >> > and >> >> > verified that User Configuration / Administrative Templates / Start >> >> > Menu >> >> > and Taskbar does NOT have the "Remove and Prevent Shut Down" option >> >> > enabled. I have also used gpedit on the local machine to set this >> >> > option >> >> > to Disabled. >> >> > >> >> > I have rebooted the machine, and I have run gpupdate. But there is >> >> > still >> >> > no shut down option on my start menu. >> >> > >> >> > What am I missing?! Thanks. >> >> > >> >> >> >> >>
Guest Vera Noest [MVP] Posted August 28, 2008 Posted August 28, 2008 Re: Log Off, Disconnect, but no Shutdown No, you can't differentiate in the GPO between remote or physical console logon. But since these people are administrators, they should be able to use the commandline on the console (in case you remove the shutdown option), or refrain from shutting down the server in a remote session (in case you don't remove it). If you are concerned about mistakingly shutting down the server, you could remove the option everywhere and create a bat file on the Administrators desktop with the command to shutdown/restart the server. Makes it available to them, but requires a deliberate act. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net *----------- Please reply in newsgroup -------------* "Quch_IT" <quch_it@o2.pl> wrote on 28 aug 2008: > Thanks for answer but does it works if the users ("TS > Administrators") are the same users who are logging local and by > a terminal?
Guest Quch_IT Posted August 28, 2008 Posted August 28, 2008 Re: Log Off, Disconnect, but no Shutdown Exactly - I'm are concerned about mistakenly shutting down the server in local login. Bat file is nice solution :) Maybe it is possible to filter remote connection with WMI? -- Quch_IT U¿ytkownik "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> napisa³ w wiadomo¶ci news:Xns9B0879A64FF8Cveranoesthemutforsse@207.46.248.16... > No, you can't differentiate in the GPO between remote or physical > console logon. > But since these people are administrators, they should be able to use > the commandline on the console (in case you remove the shutdown > option), or refrain from shutting down the server in a remote session > (in case you don't remove it). > If you are concerned about mistakingly shutting down the server, you > could remove the option everywhere and create a bat file on the > Administrators desktop with the command to shutdown/restart the > server. Makes it available to them, but requires a deliberate act. > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > *----------- Please reply in newsgroup -------------* > > "Quch_IT" <quch_it@o2.pl> wrote on 28 aug 2008: > >> Thanks for answer but does it works if the users ("TS >> Administrators") are the same users who are logging local and by >> a terminal?
Guest Vera Noest [MVP] Posted August 28, 2008 Posted August 28, 2008 Re: Log Off, Disconnect, but no Shutdown That might be possible, but I'm not sure. You could try to filter on console sessions, but I don't think that you will be able to differentiate between a logon on the physical console and a remote connection to the console session, with mstsc /console. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ "Quch_IT" <quch_it@o2.pl> wrote on 28 aug 2008 in microsoft.public.windows.terminal_services: > Exactly - I'm are concerned about mistakenly shutting down the > server in local login. > Bat file is nice solution :) > Maybe it is possible to filter remote connection with WMI?
Guest Quch_IT Posted August 28, 2008 Posted August 28, 2008 Re: Log Off, Disconnect, but no Shutdown Ok so I will probably try the bat file solution ;) -- Quch_IT U¿ytkownik "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> napisa³ w wiadomo¶ci news:Xns9B08E18FE587Bveranoesthemutforsse@207.46.248.16... > That might be possible, but I'm not sure. You could try to filter on > console sessions, but I don't think that you will be able to > differentiate between a logon on the physical console and a remote > connection to the console session, with mstsc /console. > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > "Quch_IT" <quch_it@o2.pl> wrote on 28 aug 2008 in > microsoft.public.windows.terminal_services: > >> Exactly - I'm are concerned about mistakenly shutting down the >> server in local login. >> Bat file is nice solution :) >> Maybe it is possible to filter remote connection with WMI? >
Guest Raghuram Raichooti Posted September 24, 2008 Posted September 24, 2008 Re: Log Off, Disconnect, but no Shutdown Thanks for the information. Can you please tell me how can i find the users using the Remote dektop and connected to my server and can i explicetly disconnect them from the server. if a person as unexpectdly used the Shutdown option and server got closed, can i find who was that. -- Raghuram Raichooti "Patrick Rouse" wrote: > The appropriate way to assign GPO settings to users "only" when they logon to > a Terminal Server is as follows: > > 1. Create an OU to contain a set of Terminal Servers > > 2. Block Policy Inheritance on the OU (Properties -> Group Policy). This > prevents settings from higher-up in AD from affecting your Terminal Servers. > > 3. Move the Terminal Server Computer Objects into the OU. Do NOT place User > Accounts in this OU. > > 3. Create an Active Directory Security Group called “Terminal Servers” (or > something similar that you’ll recognize) and add the Terminal Servers from > this OU to this group. > > 5. Create a GPO called “TS Machine Policy” linked to the OU > > 6. Check “Disable User Configuration settings” on the GPO > > 7. Enable Loopback Policy Processing in the GPO > > 8. Edit the Security of the Policy so Apply Policy is set for > “Authenticated Users” and the Security Group containing the Terminal Servers > > 9. Create additional GPOs linked to this OU for each user population, i.e. > “TS Users”, “TS Administrators”. > > 10. Check “Disable Computer Configuration settings” on these GPO > > 11. Edit the Security on these User Configuration GPOs so Apply Policy is > enabled for the target user population, and Deny Apply Policy is enabled for > user to which the policy should not apply. > > With GPOs configured this way the Machine Policy applies to everyone that > logs on to the Terminal Server (only the Computer Configuration Settings of > the Machine Policy are processed) in addition to the appropriate User > Configuration GPO (only the User Configuration portion of the GPO is > processed) for the target user population. > > > -- > Patrick C. Rouse > Microsoft MVP - Terminal Server > Systems Consultant > Quest Software, Provision Networks Division > Virtual Client Solutions > http://www.provisionnetworks.com > > > "Quch_IT" wrote: > > > Hi, I'm also looking for removing shutdown option in GPO. > > In my case I would like to have it disabled only if users connection is a > > terminal connection - in interactive logon it must be available to the same > > user. > > Are there any option beside applying it with WMI filter in 2k3/2k8?? > > > > -- > > > > Quch_IT. > > > > Użytkownik "Patrick Rouse" <PatrickRouse@discussions.microsoft.com> napisał > > w wiadomości news:EDBECA02-F6B2-486E-B90F-7ECC29DFC382@microsoft.com... > > > If you are using 2003 it is located at: > > > > > > User Configuration\Administrative Templates\Start Menu and Taskbar\Remove > > > and prevent access to the Shut Down command > > > > > > This setting removes the Shut Down options from the Start menu and > > > disables > > > the Shut Down button on the Windows Security dialog box, which appears > > > when > > > you press CTRL+ALT+DEL. > > > > > > > > > -- > > > Patrick C. Rouse > > > Microsoft MVP - Terminal Server > > > SE, West Coast USA & Canada > > > Quest Software, Provision Networks Division > > > Virtual Client Solutions > > > http://www.provisionnetworks.com > > > > > > > > > "Soo Kuan Teo [MSFT]" wrote: > > > > > >> What is the Windows version of Terminal Services are you running? > > >> > > >> > > >> -- > > >> This posting is provided "AS IS" with no warranties, and confers no > > >> rights. > > >> > > >> "JBradshaw" <jbradsha@dphilneas.nnn> wrote in message > > >> news:9aKdnZWQXcpzXTDVnZ2dnUVZ_qfinZ2d@posted.internetamerica... > > >> >A previous admin created a GPO setting that removed the shutdown option > > >> >from the start menu of machines in various OUs. > > >> > > > >> > I am trying to do some testing on a machine using RDP, and for some > > >> > reason, it, also, does not have a shut down option on the start menu. > > >> > > > >> > I need to be able to shutdown via RDP. I have scoured our GPO looking > > >> > for > > >> > where I can add this option. I have move the machine to its own OU and > > >> > verified that User Configuration / Administrative Templates / Start > > >> > Menu > > >> > and Taskbar does NOT have the "Remove and Prevent Shut Down" option > > >> > enabled. I have also used gpedit on the local machine to set this > > >> > option > > >> > to Disabled. > > >> > > > >> > I have rebooted the machine, and I have run gpupdate. But there is > > >> > still > > >> > no shut down option on my start menu. > > >> > > > >> > What am I missing?! Thanks. > > >> > > > >> > > >> > >
Guest Vera Noest [MVP] Posted September 24, 2008 Posted September 24, 2008 Re: Log Off, Disconnect, but no Shutdown You can see who is currently connected in TS Manager. You can see who has previously connected in the Security tab of the EventLog, provided that you have enabled auditing for logon and logoff events. The security log and system log will also show you who shutdown the server. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?UmFnaHVyYW0gUmFpY2hvb3Rp?= <raghuramraichooti@newsgroups.nospam> wrote on 24 sep 2008 in microsoft.public.windows.terminal_services: > Thanks for the information. > > Can you please tell me how can i find the users using the Remote > dektop and connected to my server and can i explicetly > disconnect them from the server. > > if a person as unexpectdly used the Shutdown option and server > got closed, can i find who was that.
Recommended Posts