Forum Discussion

Mehrdad1993's avatar
Mehrdad1993
Copper Contributor
Oct 23, 2020

Remote Desktop users have access to shutdown/restart, how disable these ?

Hi

I am learning windows server 2019 and i have a problem about RD:

i have a user (test_1) in an OU and this user have access to Remote Desktop, locally this user have access to "Sign out" option only but when using Remote Desktop this user have access to:

1. Disconnect

2. Shutdown

3. Restart

 

how can i disable shutdown/restart options for remote users ?

i tried this ways:

- apply a GPO to Related OU (...start menu and taskbar > enabling "remove and prevent access to the shutdown...)

- checking user (test_1) "Member Of tab" and the only groups are: Domain users and Remote desktop users

- Local group policy > local policy > user right assignments > shutdown the system policy is unavailable 

("The setting is not compatible with computers running Windows 2000 SP 1 or earlier.  Apply Group Policy Objects containing this setting only to computers running a later version of the operating system.")

 

 

  •  

    Hi Mehrdad1993,

     

    I applied a group policy includes only "Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands" is on User Configuration of Group Policy Management.

     

    Also I used the policy on User Configuration, didn't on Computer Configuration.

     

    You have to apply the policy to OU which includes users, not computers.

     

     

    Group Policy

    Other User Clicked to Power ButtonOther User Clicked to User ButtonTest User Clicked to Power ButtonTest User Clicked to User Button

     

     

     

     

     

     

  • Danishtj's avatar
    Danishtj
    Copper Contributor
    Open the Local Group Policy Editor: Start -> Run -> Enter gpedit.msc
    Move to User Configuration/ Administrative Templates/ Start Menu and Taskbar
    Enable “Remove and Prevent access to the Shut Down from Start Menu”
  • Try running below and check if results are as expected.

    gpresult /h C:\report.html

     

  •  

    Hi Mehrdad1993,

     

    I applied a group policy includes only "Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands" is on User Configuration of Group Policy Management.

     

    Also I used the policy on User Configuration, didn't on Computer Configuration.

     

    You have to apply the policy to OU which includes users, not computers.

     

     

    Group Policy

    Other User Clicked to Power ButtonOther User Clicked to User ButtonTest User Clicked to Power ButtonTest User Clicked to User Button

     

     

     

     

     

     

    • mjm1231's avatar
      mjm1231
      Copper Contributor
      Maybe I am missing something. I get that this prevents the user from shutting down the RDP server. But won't this setting also prevent them from shutting down their own (local) PC? Doesn't a user policy setting apply to the user on ALL computers where they login?
      • hasanemresatilmis's avatar
        hasanemresatilmis
        Iron Contributor

        Hi mjm1231,

         

        Same configuration for users via Group Policy.


        User Configuration -> Policies -> Administrative Templates -> Start Menu and Taskbar -> Remove and prevent access to the Shut Down, Restart, Sleep and Hibernate commands. 

         

    • JanRingos's avatar
      JanRingos
      Iron Contributor

      hasanemresatilmis Note that this affects only the GUI options. The user still can shutdown the system from command line or third-party application.

       

      To prevent more resourceful users from shutting down the system, remove their right to do so. Still in gpedit.msc, go to Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment, edit the "Shut down the system" privilege and remove "Users" from the list.

      • hasanemresatilmis's avatar
        hasanemresatilmis
        Iron Contributor

         

        Hi JanRingos,

         

        Thanks for your completion. When this is added to the policy I mentioned earlier, the result will be as follows in the command prompt.

         

         

        @Mehrdad1993, is your problem completely solved?

         

         

    • Mehrdad1993's avatar
      Mehrdad1993
      Copper Contributor
      i did it but i dont know how, morning i applied too many domain and local group policies and now shutdown button i gone but now i cant bring back it :)))

      i learned new lesson: never apply multiple GPO at once.
      • hasanemresatilmis's avatar
        hasanemresatilmis
        Iron Contributor

         

        Hi Mehrdad1993,

         

        When applying different policies to the same OU, you must be careful that the policies don't overlap each other.

         

        If your problem was solved, please don't remember accept the answer as the best response.

         

        Best Regards
        Hasan Emre SATILMIŞ

Resources