Remote Desktop and Shutdown button

[ksumner]

How can i make it so that regular users who connect to our TS are only allowed to logoff? I tried using a GP to remove the shutdown button from the start menu, but that affects administrators also (not an option). Any ideas?

Thanks!

k.SUMNER

 

[DTracy]

You can always overide the shutdown button with the power switch or the wall plug. Just a thought.

David.

 

[DTracy]

Oops, sorry, I misread the question. Please disregard my post.

Most sincerely,
David.

 

[monsterjta]

You can implement this with a Group Policy, and apply it to the Users OU. you can find the specific GPO under:

User Configuration -> Administrative Templates -> Start Menu and Task Bar -> Prevent changes to Taskbar and Start Menu Settings

Enable this.

I don't know why you would want to remove it from Admins as well. But, if you wish, you'll have to do this with security filtering. Simply add Domain Admins to the list. By default, admins are excluded from Apply Group Policy.

Hope This Helps,

Good Luck!

 

[monsterjta]

Actually, hold on! If this is just the TS box then I believe you'll have to implement loopback processing and apply it only to the TS box.

Too much to write here. Check out this link:

http://support.microsoft.com/kb/260370

Hope This Helps,

Good Luck!

 

[gmail2]

By default, admins are excluded from Apply Group Policy

Really? You sure? All our policies always apply to the Domain Admins group. If you want to exclude the settings from applying to the administrator account, you need to go into the Advanced Security Settings and explicitly DENY the Apply Group Policy permission to the Administrator account (or domain admins group). See below:

http://support.microsoft.com/?kbid=315675

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau

 

[monsterjta]

gmail2, you're right on that. I was thinking more in the context of creating OU's, and organizing users and computers in that fashion. While linking GPO's to these OU's, Domain Admins will not have the Apply Group Policy inherited by default (unlike Authenticated Users). You can see this by going into the GPO and viewing the security properties.

Thanks for the post. I didn't give a full explanation.

Hope This Helps,

Good Luck!

 

[monsterjta]

gmail2, my bad. I'm wrong. I guess I need to go back to the Group Policy 101 class.

Domain Admins will not have the Apply Group Policy inherited by default (unlike Authenticated Users)

Technically, this is true. But, of course, an admin is an authenticated user. Therefore, Apply will be inherited.

Thanks for the post. It's good to re-visit essentials every now and then.

 

[gmail2]

OK, I understand now what you were getting at - escentially what you're saying that if you've organised users into OU's then the administrator would not be subject to the same GPO's as the ordinary users as the administrator account would not fall within the scope of those GPO's.

Yea, I think you're right - sometimes you start to forget these things when you're not looking at the on a regular basis ... hapens to me too Although I think you're right, ksumner probably would have to implement loopback processing in order for this to work - so you wern't completely off track, eh !!!



Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau

 

[wellerw]

just make sure they are not in the 'can shut down the system' group in the GPolicy.

 

[monsterjta]

The real truth as to why I initially said

Domain Admins will not have the Apply Group Policy inherited by default (unlike Authenticated Users)

is because, by my practice, by default I take the Authenticated Users out of the scope with security filtering. I only explicitly apply policies to admins if there's a necessity. Got to used to the sceme.

Would anyone suggest a better way?

Hope This Helps,

Good Luck!