Re: Users should not shutdown or restart servers
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/24/05
- Next message: Steven L Umbach: "Re: Audit Object Access Problem"
- Previous message: WilliamBeau: "Re: Two domains, One Forest...."
- In reply to: Bert Sierra: "Users should not shutdown or restart servers"
- Next in thread: Julian Dragut: "Re: Users should not shutdown or restart servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Jan 2005 15:25:03 -0600
You need to make sure the "effective" security policy for the W2K servers
you want to restrict does not included users/authenticated users. For domain
controllers that user right is defined in Domain Controller Security Policy
which applies only to computers in the domain controllers container/OU. For
other domain computers you can configure it in their Local Security Policy
or at the domain/OU level if you are using such via a GPO for an OU.
Security policy is a subset of computer configuration under Windows
settings. On Windows 2000 computers if the local setting does not match the
"effective" setting then there is an overriding security policy at the
domain/OU level that you would need to configure to make it the desired
"effective" setting. Keep in mind that Group/security Policy is applied in
this order local>site>domain>OU>child OU where the last applied policy is
applied when a setting [such as user right] is defined in multiple policies.
The gpresult support tool can be very helpful in finding what GPO's are
applied to a computer/user. Group/security Policy applied at the domain/OU
level will not be applied until the next refresh of the policy. To speed
such up for W2K use secedit /refreshpolicy machine_policy /enforce first on
the domain controller and then on the domain computer where the new policy
is to be applied. --- Steve
"Bert Sierra" <bsierra@cableone.net> wrote in message
news:bsierra-23900E.11421224012005@corp.supernews.com...
>I am trying to prevent "Shut Down" from appearing in the Win2K Start
> menu for non-admin users of our Win2K servers. We have one server
> operating as the domain controller (#1), and the other operating as a
> backup (#2).
>
> I have looked at the Local Security Settings for server #2, and under
> "Security Settings > Local Policies > User Rights Assignment" I see the
> following enabled only for Administrators, Power Users, and Backup
> Operators:
>
> Force shutdown from a remote system:
> Administrators
>
> Shut down the system:
> Power Users, Backup Operators, Administrators
>
> For the sample user I am looking at, she is not part of any of the above
> groups: she is only part of "Domain Users", "Accounting" (which grants
> access to Accounting-related share points), and "termusers" (which
> grants access to Terminal Services-related share points). I don't
> understand why "Shut Down" is enabled for her account.
>
> I understand that there may be settings on the domain controller (#1)
> which override the local settings of server #2. How do I access the
> domain controller security settings? On server #1, I looked at "Start >
> Programs > Administrative Tools > Domain Controller Security Policy" and
> "... > Domain Security Policy" but could not understand what it was I
> was looking at.
>
> Any help would be appreciated.
>
>
> ----
> Bert Sierra, IT Manager + (928) 778-0170 x130
> Fann Contracting, Inc. + 1403 Industrial Way + Prescott, AZ 86301
- Next message: Steven L Umbach: "Re: Audit Object Access Problem"
- Previous message: WilliamBeau: "Re: Two domains, One Forest...."
- In reply to: Bert Sierra: "Users should not shutdown or restart servers"
- Next in thread: Julian Dragut: "Re: Users should not shutdown or restart servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
