Re: Users should not shutdown or restart servers

From: Julian Dragut (julianmd_at_groups.com)
Date: 01/29/05 

Date: Sat, 29 Jan 2005 17:47:54 -0500

Bert,

It's clear to me that you have a DC (srv#1) but the second I'm not sure if
it's DC as well.....
In any case, by default on the DC's plain users are not allowed to log on
locally, and the security policy (GP) should be addressed to the Domain
Controllers OU ( don't look at the local policy, it the first to be
bypassed )
In your case, the user is part of "termuser" which tells me that she
connects to the DC using TSClient, therefore she has log on locally "-:)"
If that's the case you may use TS settings to restrict users rights on the
server.
http://www.microsoft.com/technet/prodtechnol/win2kts/maintain/optimize/secw2kts.mspx
Hope it helps,
Julian Dragut

"Bert Sierra" <bsierra@cableone.net> wrote in message
news:bsierra-23900E.11421224012005@corp.supernews.com...
>I am trying to prevent "Shut Down" from appearing in the Win2K Start
> menu for non-admin users of our Win2K servers. We have one server
> operating as the domain controller (#1), and the other operating as a
> backup (#2).
>
> I have looked at the Local Security Settings for server #2, and under
> "Security Settings > Local Policies > User Rights Assignment" I see the
> following enabled only for Administrators, Power Users, and Backup
> Operators:
>
> Force shutdown from a remote system:
> Administrators
>
> Shut down the system:
> Power Users, Backup Operators, Administrators
>
> For the sample user I am looking at, she is not part of any of the above
> groups: she is only part of "Domain Users", "Accounting" (which grants
> access to Accounting-related share points), and "termusers" (which
> grants access to Terminal Services-related share points). I don't
> understand why "Shut Down" is enabled for her account.
>
> I understand that there may be settings on the domain controller (#1)
> which override the local settings of server #2. How do I access the
> domain controller security settings? On server #1, I looked at "Start >
> Programs > Administrative Tools > Domain Controller Security Policy" and
> "... > Domain Security Policy" but could not understand what it was I
> was looking at.
>
> Any help would be appreciated.
>
>
> ----
> Bert Sierra, IT Manager + (928) 778-0170 x130
> Fann Contracting, Inc. + 1403 Industrial Way + Prescott, AZ 86301

Relevant Pages

  • Re: Terminal server lockdown
    ... MCSE, CCEA, Microsoft MVP - Terminal Server ... the user settings in the terminal server's policy. ... the settings also apply to administrators that login to the ...
    (microsoft.public.windows.terminal_services)
  • Re: single start menu, desktop for everyone but administrator
    ... folder" part? ... These settings will apply to everyone. ... for Administrators only. ... MCSE, CCEA, Microsoft MVP - Terminal Server ...
    (microsoft.public.windows.terminal_services)
  • SSL and NNTP
    ... I am unable to read news from a server that uses SSL. ... administrators have confirmed that my settings are correct. ...
    (microsoft.public.mac.office.entourage)
  • RE: login and email problems
    ... Please carefully check settings required in my previous post and post the ... Install the RPC ping utility on the client computer and then open a command ... Microsoft CSS Online Newsgroup Support ... Leave the Default Gateway of the internal NIC blank of the server box. ...
    (microsoft.public.windows.server.sbs)
  • Re: Monitoring and Alerts
    ... Relay settings for Exchange SMTP Virtual Server: ... we pursue the performance alerts issue further. ... | Subject: Re: Monitoring and Alerts ...
    (microsoft.public.windows.server.sbs)