Edit Shutdown Menu 1

[NADIAZIPPER]

I have posted a few questions related to this and the answers I have received have helped greatly. Problem is my idea works, but it is not exactly what we want. So the absolute best way I see is to edit the drop down box that appears after choosing shut down from the start menu. Anyone ever try this? Anybody even know if it is possible?
For the most part it seems if there are multiple choices, then someone has found a way to edit the choices to their liking.

Thanks for any answers giving, they are most appreciated.

 

[BrainSurgery]

Why would you edit the options in the drop-down menu?
Is there a good reason for this?

 

[NADIAZIPPER]

We want to restrict shut down options. We would prefer only a log off or restart only. A group policy is only available on a per user basis and we need it on a per machine basis. So that a user who logs on to a desktop and a laptop will have different shutdown options. We would hate for someone to be able not to shut down a laptop.

 

[longlivegoku]

You can use a GPO to restrict per machine. Apply a GPO restricing the shutdown of the machine to an OU that the machine is in alone. I'm assuming here you are using Windows 2000 with AD. Anyone that logs onto that machine will then have all restrictions applied and won't affect them if they logon to another machine.

 

[NADIAZIPPER]

Do you know where it is located? I have not been able to find a gp to remove access to shut down under computer configuration. The other issue is we want users to be able to restart, just not shutdown completely. It is nice to have the machines turned on after hours to push out updates or install new programs when we need and not send sombody around to ensure all machines are on.

PS W2k with AD and all XP machines

 

[longlivegoku]

The option to turn off shutdown is under User Config/administrative temp/start menu and taskbar options. It will still allow restarts just not the ability to shut down.

 

[NADIAZIPPER]

The issue is that with roaming profiles that part of the registry is copied, so if a user logs on to a laptop the shutdown option will also removed. That is why GP hasn't been used. I tried to use the registry hack to do that but all portions of the users registry is copied with roaming profiles. We need to limit it to desktops only

 

[bcastner]

. use the GPO to remove shutdown
. Add to the laptops a shortcut to shutdown, either directly on the desktop as a shortcut to shutdown.exe, or with a third-party utility.

. create a shortcut on the desktop that has as its target: shutdown -s -t:0

. third-party choices:
The following are third party tools, but I like all of them:

http://www.slawdog.com/products/smartsd/

http://www.budja.com/shutdown/

 

[BrainSurgery]

I don´t really see the problem.

Put the computers that people should not be allowed to shut down in its own organizational unit.

Put other computers (laptops) in another organizational unit.

Solve this stuff with assigning a different group policy to each OU. Roaming profiles are not a problem here.

There is really no need for any third-party tools or programming to solve this.

You should do some study on GPO´s and how they work

 

[NADIAZIPPER]

Brainsurgery...you also need to study GPO's!!!!
Removing the shutdown button is a user GPO. So if the machines are in seperated OU's, which they are, it makes no difference, because it affects the user profile, which is copied reguardless what machine they use with roaming profiles. So no matter what machine they use the shutdown will be removed.

Bcaster
Thank you very much. I never thought about the shortcut on the desktop, they may work.

 

[BrainSurgery]

One step at a time:

Case:
I want to refuse users to shut down the system on all desktop computers, while allowing them to shut down the system on all laptop computers. I will also maintain other user-specific policies (eg roaming profiles, logon-scripts, Internet Explorer proxy settings, redirecting of the my documents folder bla bla ... )

Solution (pay attention this time):

Desktop_Computers_OU <- Place your desktop computers into this OU
Laptop_Computers_OU <- Place your laptop computers into this OU
Users_OU <- Place your users into this OU (The simplistic angle. Off course you can have N other OU´s to meet different demands in your company. Use function or geography or any other factor to put your domain users into their correct category)

That was the OU-structure. Now we move on to the policies:
Users_OU <- Create N policies (where N is any number) where you define all the user specific configurations that should follow your users wherever they log on in your domain. It could be a logon-script. It could be removing the access to the control panel. It could be pretty much everything.

Laptop_Computers_OU <- Create N policies (where N is any number) where you define all the computer specific configurations that should be applied to users that logs on to laptop computers. Maybe you want to have an audit policy that tracks the use of resources on these computers. Again it could be pretty much anything.
One setting should be set in this policy though: GPO -> Computer Configuration -> Administrative Templates -> System -> Group Policy -> User Group Policy loopback processing mode = Enabled (Mode = Merged). Shortly explained this setting will allow you to merge the GPO´s in your user OU with the one you defined in the computer OU.

Desktop_Computers_OU <- Create N policies (where N is any number) where you define all the computer specific configurations that should be applied to users that logs on to desktop computers. For the sake of simplicity, lets say you just want to assign a specific account lockout policy for those computers. In addition you change the following: GPO -> User Configuration -> Administrative templates -> Start Menu & Taskbar -> Disable and remove the Shut Down command = Enabled. One other setting should be set in this policy though: GPO -> Computer Configuration -> Administrative Templates -> System -> Group Policy -> User Group Policy loopback processing mode = Enabled (Mode = Merged). Shortly explained this setting will allow you to merge the GPO´s in your user OU with the one you defined in the computer OU. This way the remove shut down command policy will ONLY apply when logging on to any of the desktop computers.

Tested with:
2 test clients in each OU as described above, with some default GPO settings + the loopback directive enabled on the Computers_OU´s
Win2000 AD Server
Windows 2000 Fileserver for storing the roaming profile
1 Windows 2000 domain user (This user downloads his roaming profile from the fileserver when he logs on to different machines in the domain)

Guess what? It works!

Finally some reading material for you dude:

http://support.microsoft.com/default.aspx?scid=kb;en-us;322176

http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicyintro.asp

http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/gp/34.asp?frame=true

 

[gpalmer711]

NADIAZIPPER,

I came across this today and remembered you, it would seem that the registry edit below is what you wanted if GPO was not for you.

Disable the Log Off and Turn Off Computer buttons

Do you support users who, regardless of what you tell them, insist on logging off or shutting down public computers in common areas? If so, you'll be glad to know that you can disable the Log Off and Turn Off Computer buttons on the Start menu.

Follow these steps:


Open the Registry Editor (Regedit.exe).
Navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\CurrentVersion\Policies\Explorer.
Right-click the Explorer key, and select New | DWORD value.
Name the value StartMenuLogoff, and press [Enter] twice to access the Edit DWORD Value dialog box.
Type 1 in the Value Data text box, and click OK.
Right-click the Explorer key, and select New | DWORD value.
Name the value NoClose, and press [Enter] twice to access the Edit DWORD Value dialog box.
Type 1 in the Value Data text box, and click OK.
Close the Registry Editor.

At this point, both the Log Off and Turn Off Computer buttons are still on the Start menu, so click the Log Off button and then log back on.

When you need to shut down the computer, launch the Registry Editor, and change the values to 0.

Note: Editing the registry is risky, so be sure you have a verified backup before making any changes.


Greg Palmer
Free Software for Adminstrators

http://www.palmersoft.co.uk