Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE
SOLVED

Remote Desktop users have access to shutdown/restart, how disable these ?

Copper Contributor

Hi

I am learning windows server 2019 and i have a problem about RD:

i have a user (test_1) in an OU and this user have access to Remote Desktop, locally this user have access to "Sign out" option only but when using Remote Desktop this user have access to:

1. Disconnect

2. Shutdown

3. Restart

 

how can i disable shutdown/restart options for remote users ?

i tried this ways:

- apply a GPO to Related OU (...start menu and taskbar > enabling "remove and prevent access to the shutdown...)

- checking user (test_1) "Member Of tab" and the only groups are: Domain users and Remote desktop users

- Local group policy > local policy > user right assignments > shutdown the system policy is unavailable 

("The setting is not compatible with computers running Windows 2000 SP 1 or earlier.  Apply Group Policy Objects containing this setting only to computers running a later version of the operating system.")

 

 

19 Replies
best response confirmed by Mehrdad1993 (Copper Contributor)
Solution

 

Hi @Mehrdad1993,

 

I applied a group policy includes only "Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands" is on User Configuration of Group Policy Management.

 

Also I used the policy on User Configuration, didn't on Computer Configuration.

 

You have to apply the policy to OU which includes users, not computers.

 

 

Group PolicyGroup Policy

Other User Clicked to Power ButtonOther User Clicked to Power ButtonOther User Clicked to User ButtonOther User Clicked to User ButtonTest User Clicked to Power ButtonTest User Clicked to Power ButtonTest User Clicked to User ButtonTest User Clicked to User Button

 

 

 

 

 

 

i did it but i dont know how, morning i applied too many domain and local group policies and now shutdown button i gone but now i cant bring back it :)))

i learned new lesson: never apply multiple GPO at once.

 

Hi @Mehrdad1993,

 

When applying different policies to the same OU, you must be careful that the policies don't overlap each other.

 

If your problem was solved, please don't remember accept the answer as the best response.

 

Best Regards
Hasan Emre SATILMIŞ

Try running below and check if results are as expected.

gpresult /h C:\report.html

 

@hasanemresatilmis Note that this affects only the GUI options. The user still can shutdown the system from command line or third-party application.

 

To prevent more resourceful users from shutting down the system, remove their right to do so. Still in gpedit.msc, go to Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment, edit the "Shut down the system" privilege and remove "Users" from the list.

 

Hi @Jan Ringoš,

 

Thanks for your completion. When this is added to the policy I mentioned earlier, the result will be as follows in the command prompt.

 

TestUser - Shutdown.PNG

 

@Mehrdad1993, is your problem completely solved?

 

 

i found problem, seems i had changed this policy:

default domain controller policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Shut down the system

i add "everyone" and "users" to this policy and now users have access to shutdown and restart, with removing these two groups users will lost access to shutdown button.

this policy doesn't work with gpupdate /force command and server restart is needed.

now its time to try @hasanemresatilmis solution.

Operation was successfully :smile:

 

Thank you All.

 

Glad to hear, you're welcome.

 

(please don't forget to mark helpful replies)

 

 

 

 

Hi @Mehrdad1993,

 

I'm glad to the problem is solved. You're welcome :)

Maybe I am missing something. I get that this prevents the user from shutting down the RDP server. But won't this setting also prevent them from shutting down their own (local) PC? Doesn't a user policy setting apply to the user on ALL computers where they login?

Hi @mjm1231,

 

Same configuration for users via Group Policy.


User Configuration -> Policies -> Administrative Templates -> Start Menu and Taskbar -> Remove and prevent access to the Shut Down, Restart, Sleep and Hibernate commands. 

 

01.PNG

@hasanemresatilmis 

Yes. This is the same instruction in the original post. I understand the intent is to prevent them from shutting down a computer they have accessed via RDP. But this does not answer my question.

 

My question is: How does a user affected by this policy shut down their own personal computer, where they are logged in locally? Wouldn't the same policy also prevent them from shutting down in that instance also?

Hi @mjm1231i,

 

If you apply this policy via computer configuration for only an OU which includes only servers, client computers won't affect from that policy. Your client computers and servers are in the same OU, you can use WMI filtering for Group Policy.  

Open the Local Group Policy Editor: Start -> Run -> Enter gpedit.msc
Move to User Configuration/ Administrative Templates/ Start Menu and Taskbar
Enable “Remove and Prevent access to the Shut Down from Start Menu”

@hasanemresatilmisI think you are missing what @mjm1231 is asking which is a side effect of this option that is not ideal for my users who work in and out of the office regularly.  I do not want remote in to reboot when their Office apps do what they do best and "Not Respond"...It took me long enough to get everyone to reboot as a 1st level self-troubleshoot. 

 

Power options on the Client computer are not the issue here, power options on the Host...when the user is logged in locally is the concern.  For instance, let's say you have users that are accessing their desktops which are on the domain (and their primary device) on RDP via VPN on a laptop (not on the domain) from home.  You wouldn't want the user to Shut Down their Desktop by mistake and not be able to access it remotely and require a physical intervention.  However if you make the change to either of the GPEdit.msc settings suggested above they do not have Power Options in the Start Menu when they return to their Domain Desktop and login locally.  You can't give them a script to autorun in command prompt as users are denied access as pointed out earlier.  I would think that there would be a Group Policy that you could push that only removes Shut Down options for Remote Desktop Users while connected to TS sessions.  I am going to look into this one and I'll report back if I find resolution.  Any input would be welcomed and appreciated.

Hi @LeatherHelpDesk,
Yes you're right. I couldn't understand @mjm1231's question before. But I understand now.

@mjm1231,
If you apply the policy to the OU where the Terminal servers are located and enable the Group Policy Loopback Processing Mode in the same policy, I think your problem will be solved.

You can enable Group Policy Loopback Processing Mode in the same policy from the Group Policy setting below.

Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure user Group Policy loopback processing mode

Merge: When selected, user policies linked to computer OU will be applied along with the other user policies that linked to the user OU. If any conflicting setting between policies, GPO will process them normally based on the link order.

Replace: When selected, user policies linked to computer OU will override the other user policies that linked to the user OU.

@hasanemresatilmis  I'm pretty sure this isn't the correct discussion for my problem but it was as close as I could find. My remote access problems are severe! So bad that almost every week I have to completely reinstall windows because I'd lost all control over the computer. Every thing on the internet I've done trying to disable it but I get the access denied pop up when I try to disable the good stuff. Whoever or whatever is doing this has been doing this for almost a year. I've lost count of all the phones, computers, laptops, tablets I've went through.  Family members every got infected through a device of mine. It don't matter where I go what device I use wifi or mobile data or ethernet. None of that matters. VAN's do nothing. Creating fake accounts do nothing. Even if I was able to stop the problem would it not only be temporary? I've tried rooting phones to install custom firmware but that's not allowed. What ever process I use gets completely shut down usually at the final step. It's like NSA sh$t. Is this just gonna be how it is for me?

Thank you very much, solved perfectly.
1 best response

Accepted Solutions
best response confirmed by Mehrdad1993 (Copper Contributor)
Solution

 

Hi @Mehrdad1993,

 

I applied a group policy includes only "Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands" is on User Configuration of Group Policy Management.

 

Also I used the policy on User Configuration, didn't on Computer Configuration.

 

You have to apply the policy to OU which includes users, not computers.

 

 

Group PolicyGroup Policy

Other User Clicked to Power ButtonOther User Clicked to Power ButtonOther User Clicked to User ButtonOther User Clicked to User ButtonTest User Clicked to Power ButtonTest User Clicked to Power ButtonTest User Clicked to User ButtonTest User Clicked to User Button

 

 

 

 

 

 

View solution in original post