Users should not shutdown or restart servers

From: Bert Sierra (bsierra_at_cableone.net)
Date: 01/24/05 

Date: Mon, 24 Jan 2005 11:42:13 -0700

I am trying to prevent "Shut Down" from appearing in the Win2K Start
menu for non-admin users of our Win2K servers. We have one server
operating as the domain controller (#1), and the other operating as a
backup (#2).

I have looked at the Local Security Settings for server #2, and under
"Security Settings > Local Policies > User Rights Assignment" I see the
following enabled only for Administrators, Power Users, and Backup
Operators:

Force shutdown from a remote system:
    Administrators

Shut down the system:
    Power Users, Backup Operators, Administrators

For the sample user I am looking at, she is not part of any of the above
groups: she is only part of "Domain Users", "Accounting" (which grants
access to Accounting-related share points), and "termusers" (which
grants access to Terminal Services-related share points). I don't
understand why "Shut Down" is enabled for her account.

I understand that there may be settings on the domain controller (#1)
which override the local settings of server #2. How do I access the
domain controller security settings? On server #1, I looked at "Start >
Programs > Administrative Tools > Domain Controller Security Policy" and
"... > Domain Security Policy" but could not understand what it was I
was looking at.

Any help would be appreciated. 

----
Bert Sierra, IT Manager  +  (928) 778-0170 x130
Fann Contracting, Inc.  +  1403 Industrial Way  +  Prescott, AZ  86301

Relevant Pages

  • Re: 1st DC in Small Domain Failed, _msdcs still points to 1st DC
    ... How to use Netdom.exe to reset machine account passwords of a Windows Server 2003 Domain Controller ... "Darius Sanders" wrote in message ... Active directory seems to be operating ...
    (microsoft.public.windows.server.active_directory)
  • Re: 1st DC in Small Domain Failed, _msdcs still points to 1st DC
    ... Darius Sanders ... Domain Controller ... How to use Netdom.exe to reset machine account passwords of a Windows Server ... Active directory seems to be operating ...
    (microsoft.public.windows.server.active_directory)
  • Re: MAC computer access windows server
    ... Make sure that you have compatible security settings [secpol.msc for Local ... and a Windows 2003 domain controller from my iMac but not my Windows 2003 ... domain controller and interestingly enough failed "logon" events using ntlm ... > cannot log on our server, if try on windows xp, everything is fine, if try ...
    (microsoft.public.windows.server.security)
  • Re: IIS FTP Logon
    ... You're asking to be hacked if you install FTP on a Domain Controller. ... Install FTP on a server that isn't so Vital and use local accounts only. ... > standalone server with minimal damage to security settings. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Client performance problem windows 2003 server...
    ... >Subject: Re: Client performance problem windows 2003 server... ... >Deploying Active Directory for Branch Office Environments ... >results from not having a domain controller in a particular site. ... incorrectly applied site coverage will be bad for clients ...
    (microsoft.public.windows.server.networking)