General discussion


Shutdown policy problem.

By bart777 ·
Shutdown policy problem.
We are experiencing some strange problems with our domain policies. Our XP users were unable to shutdown their machines locally. It would let them log out and then they could hit shutdown after CTRL-ALT-DEL.

We attempted to add the Domain account for these users to the local administrator account of the XP desktops but they still cannot shut the machine down.

We put in a policy that allowed them to shut down the machines from the domain level. (User right's and assignments-Shut down the system) The problem now is that they can shut down our Citrix servers as well.

The Shutdown the machine remotely policy is VERY restrictive. There are only 5 users that this policy applies to.

How can I give these users the ability to shutdown thier desktops without letting them shutdown my servers?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by ctmoore1998 In reply to Shutdown policy problem.

Check your local machine security properities and also if these machines are members of the domain check the domain security properities also check the shutdown system policy and ensure the users are permitted to shut the system down.

Collapse -

by bart777 In reply to

We already verified that.

Collapse -

by ewgny In reply to Shutdown policy problem.

User rights and assignments is not the place to adjust users permissions to shut down a local PC. In fact make sure you do not modify the default domain controller policy and the default domain policy. It is poor practice and screwing it up can cause much agony. any policies that you create at that level should be added as a new policy. Back to your shutdown problem, you have a conflict with your group policies. the place to make sure a user can shutdown a pc is in
administrative templates- windows components- start menu and taskbar " remove and prevent access to the shutdown command" If you creat a policy disabling this (which would give the user permission to shutdown) and put that policy at the top of the list of group policies in the OU that contains your XP users they should be able to shutdown. Sounds like the conflicting policy may be a "local" group policy. You should avoid local group policies and use only AD based policies. Remember the local group policies apply to everybody including the Amin. Not to make the solution sound to simple though, once a user logs off, they can push the power button for a soft and safe power off ! , unless it's an old box which I doubt sine the are running xp. Also avoid making anyone administrator of their local PC - Bad bad security practice.
Now the solution if you want to restrict everybody from shutting down except you few XP users.
Go to your "no shutdown" Group policy, and make sure your xp users group that you created does not have "read" and "apply group policy" permissions
to the policy. Then the policy will apply to everone except members of that group.
Good luck

Collapse -

by bart777 In reply to

Great ideas all, but we see the shutdown option. The Admin Template is disabled. The problem is that when thy select shutdown they are olny allowed to log off. Once the log off they can CTRL-ALT-DEL and shutdown, but you know how users are. They think this is not acceptable. The odd part about this whole thing is that it works correctly on all my Win2k workstations. Thanks for the input.

Collapse -

by Curacao_Dejavu In reply to Shutdown policy problem.

here are some links:
How to Lock Down a Windows 2000 Terminal Server Session

and just in case:


Collapse -

by bart777 In reply to

Poster rated this answer.

Collapse -

by bart777 In reply to Shutdown policy problem.

This question was closed by the author

Related Discussions

Related Forums