Hello,

I've been looking at Group Policy settings to make it so that users do not
have the option to shut down the Terminal Server but administrators do.
Could anyone let me know exactly how to set that up? So far everything I've
tried has resulted in both administrators and users not having the 'shut
down' command visible next to the 'log off' command. Thank you.

Have you tried to configure "Deny" to the right to "Apply this
policy" for Administrators?

315675 - HOW TO: Keep Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows 2000
http://support.microsoft.com/?kbid=315675

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

"=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)> wrote on
18 okt 2004 in microsoft.public.win2000.termserv.apps:

> Hello,
>
> I've been looking at Group Policy settings to make it so that
> users do not have the option to shut down the Terminal Server
> but administrators do. Could anyone let me know exactly how to
> set that up? So far everything I've tried has resulted in both
> administrators and users not having the 'shut down' command
> visible next to the 'log off' command. Thank you.

Hello,

Thanks for the quick reply!

I checked out that article and got part of the way there, but we're running
Windows Server 2003 (couldn't find the newsgroup for that and Terminal
Services although I tried) and the Terminal Server doesn't have Active
Directory installed. The domain controller does, but it's a separate server.
Should Active Directory be installed on the Terminal Server in order for
those changes to be made possible?

Thank you!



"Vera Noest [MVP]" wrote:

> Have you tried to configure "Deny" to the right to "Apply this
> policy" for Administrators?
>
> 315675 - HOW TO: Keep Domain Group Policies from Applying to
> Administrator Accounts and Selected Users in Windows 2000
> http://support.microsoft.com/?kbid=315675
>
> --
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> --- please respond in newsgroup, NOT by private email ---
>
> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)> wrote on
> 18 okt 2004 in microsoft.public.win2000.termserv.apps:
>
> > Hello,
> >
> > I've been looking at Group Policy settings to make it so that
> > users do not have the option to shut down the Terminal Server
> > but administrators do. Could anyone let me know exactly how to
> > set that up? So far everything I've tried has resulted in both
> > administrators and users not having the 'shut down' command
> > visible next to the 'log off' command. Thank you.
>

No, it should work if your Terminal server is a member of a domain
(not a standalone server in a workgroup).

Why doesn't this work for you? You do see the Security tab under
the properties of the GPO, do you? What exactly is the problem in
applying this?

Regarding newsgroups: there is no newsgroup especially for 2003
TS. Microsoft tries to get rid of the OS-specific newsgroups. The
TS newsgroup with the most traffic nowadays is
microsoft.public.windows.terminal_services, but it's no big deal
where you post.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

"=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)> wrote on
19 okt 2004 in microsoft.public.win2000.termserv.apps:

> Hello,
>
> Thanks for the quick reply!
>
> I checked out that article and got part of the way there, but
> we're running Windows Server 2003 (couldn't find the newsgroup
> for that and Terminal Services although I tried) and the
> Terminal Server doesn't have Active Directory installed. The
> domain controller does, but it's a separate server.
> Should Active Directory be installed on the Terminal Server in
> order for
> those changes to be made possible?
>
> Thank you!
>
>
>
> "Vera Noest [MVP]" wrote:
>
>> Have you tried to configure "Deny" to the right to "Apply this
>> policy" for Administrators?
>>
>> 315675 - HOW TO: Keep Domain Group Policies from Applying to
>> Administrator Accounts and Selected Users in Windows 2000
>> http://support.microsoft.com/?kbid=315675
>>
>> --
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> http://hem.fyristorg.com/vera/IT
>> --- please respond in newsgroup, NOT by private email ---
>>
>> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)> wrote
>> on 18 okt 2004 in microsoft.public.win2000.termserv.apps:
>>
>> > Hello,
>> >
>> > I've been looking at Group Policy settings to make it so that
>> > users do not have the option to shut down the Terminal Server
>> > but administrators do. Could anyone let me know exactly how
>> > to set that up? So far everything I've tried has resulted in
>> > both administrators and users not having the 'shut down'
>> > command visible next to the 'log off' command. Thank you.

Hi again,

Ok, then there must be something missing. The reason I ask about AD is
because when following the directions in KB315675 it says I should get to
Group Policy from AD. I go to Start, Programs and then Administrative Tools
but Active Directory Users & Computers doesn't show up at all. This Terminal
Server is joined to a domain.

I can get to Group Policy when reviewing next steps for the Terminal Server
and then configuring server settings, but I don't seem to be able to get
Properties on a group policy object. That's about where I'm stuck.

Thanks for the clarification on the OS/newsgroups thing --



"Vera Noest [MVP]" wrote:

> No, it should work if your Terminal server is a member of a domain
> (not a standalone server in a workgroup).
>
> Why doesn't this work for you? You do see the Security tab under
> the properties of the GPO, do you? What exactly is the problem in
> applying this?
>
> Regarding newsgroups: there is no newsgroup especially for 2003
> TS. Microsoft tries to get rid of the OS-specific newsgroups. The
> TS newsgroup with the most traffic nowadays is
> microsoft.public.windows.terminal_services, but it's no big deal
> where you post.
>
> --
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> --- please respond in newsgroup, NOT by private email ---
>
> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)> wrote on
> 19 okt 2004 in microsoft.public.win2000.termserv.apps:
>
> > Hello,
> >
> > Thanks for the quick reply!
> >
> > I checked out that article and got part of the way there, but
> > we're running Windows Server 2003 (couldn't find the newsgroup
> > for that and Terminal Services although I tried) and the
> > Terminal Server doesn't have Active Directory installed. The
> > domain controller does, but it's a separate server.
> > Should Active Directory be installed on the Terminal Server in
> > order for
> > those changes to be made possible?
> >
> > Thank you!
> >
> >
> >
> > "Vera Noest [MVP]" wrote:
> >
> >> Have you tried to configure "Deny" to the right to "Apply this
> >> policy" for Administrators?
> >>
> >> 315675 - HOW TO: Keep Domain Group Policies from Applying to
> >> Administrator Accounts and Selected Users in Windows 2000
> >> http://support.microsoft.com/?kbid=315675
> >>
> >> --
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> http://hem.fyristorg.com/vera/IT
> >> --- please respond in newsgroup, NOT by private email ---
> >>
> >> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)> wrote
> >> on 18 okt 2004 in microsoft.public.win2000.termserv.apps:
> >>
> >> > Hello,
> >> >
> >> > I've been looking at Group Policy settings to make it so that
> >> > users do not have the option to shut down the Terminal Server
> >> > but administrators do. Could anyone let me know exactly how
> >> > to set that up? So far everything I've tried has resulted in
> >> > both administrators and users not having the 'shut down'
> >> > command visible next to the 'log off' command. Thank you.
>

Have you tried to configure the GPO from a different server in the
domain, maybe the DC? Does it work then?

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

"=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)> wrote on
19 okt 2004 in microsoft.public.win2000.termserv.apps:

> Hi again,
>
> Ok, then there must be something missing. The reason I ask
> about AD is because when following the directions in KB315675 it
> says I should get to Group Policy from AD. I go to Start,
> Programs and then Administrative Tools but Active Directory
> Users & Computers doesn't show up at all. This Terminal Server
> is joined to a domain.
>
> I can get to Group Policy when reviewing next steps for the
> Terminal Server and then configuring server settings, but I
> don't seem to be able to get Properties on a group policy
> object. That's about where I'm stuck.
>
> Thanks for the clarification on the OS/newsgroups thing --
>
>
>
> "Vera Noest [MVP]" wrote:
>
>> No, it should work if your Terminal server is a member of a
>> domain (not a standalone server in a workgroup).
>>
>> Why doesn't this work for you? You do see the Security tab
>> under the properties of the GPO, do you? What exactly is the
>> problem in applying this?
>>
>> Regarding newsgroups: there is no newsgroup especially for 2003
>> TS. Microsoft tries to get rid of the OS-specific newsgroups.
>> The TS newsgroup with the most traffic nowadays is
>> microsoft.public.windows.terminal_services, but it's no big
>> deal where you post.
>>
>> --
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> http://hem.fyristorg.com/vera/IT
>> --- please respond in newsgroup, NOT by private email ---
>>
>> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)> wrote
>> on 19 okt 2004 in microsoft.public.win2000.termserv.apps:
>>
>> > Hello,
>> >
>> > Thanks for the quick reply!
>> >
>> > I checked out that article and got part of the way there, but
>> > we're running Windows Server 2003 (couldn't find the
>> > newsgroup for that and Terminal Services although I tried)
>> > and the Terminal Server doesn't have Active Directory
>> > installed. The domain controller does, but it's a separate
>> > server.
>> > Should Active Directory be installed on the Terminal Server
>> > in order for
>> > those changes to be made possible?
>> >
>> > Thank you!
>> >
>> >
>> >
>> > "Vera Noest [MVP]" wrote:
>> >
>> >> Have you tried to configure "Deny" to the right to "Apply
>> >> this policy" for Administrators?
>> >>
>> >> 315675 - HOW TO: Keep Domain Group Policies from Applying to
>> >> Administrator Accounts and Selected Users in Windows 2000
>> >> http://support.microsoft.com/?kbid=315675
>> >>
>> >> --
>> >> Vera Noest
>> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> http://hem.fyristorg.com/vera/IT
>> >> --- please respond in newsgroup, NOT by private email ---
>> >>
>> >> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)>
>> >> wrote on 18 okt 2004 in
>> >> microsoft.public.win2000.termserv.apps:
>> >>
>> >> > Hello,
>> >> >
>> >> > I've been looking at Group Policy settings to make it so
>> >> > that users do not have the option to shut down the
>> >> > Terminal Server but administrators do. Could anyone let
>> >> > me know exactly how to set that up? So far everything
>> >> > I've tried has resulted in both administrators and users
>> >> > not having the 'shut down' command visible next to the
>> >> > 'log off' command. Thank you.

Actually, think I may have found the solution just now and it has partly to
do with that. Found KB816100 which is specific to Server 2003 (although not
all that different). I did as you said, edited the GPO from a domain
controller and, using the instructions in KB292655, set it to Deny
application of the Group Policy to Domain admins.

Then created a custom.mmc on the Terminal Server, adding the Group Policy
snap-in. I set it to edit the Default Domain Policy rather than a local
policy.

From there I went to Users Configuration, Administrative Templates, Start
Menu and Taskbar, and from there enabled 'Remove and Prevent Access to the
Shutdown Command".

Now I see I probably could have made those changes to the GPO from the
Terminal Server at the beginning if I'd done it via snap-in on the MMC in the
first place. I tested to see if this all works by logging in as a regular
user (no shutdown command available) and then as an admin (shutdown
available), so it seems to be working. Thanks for the tips! They helped a
lot.



"Vera Noest [MVP]" wrote:

> Have you tried to configure the GPO from a different server in the
> domain, maybe the DC? Does it work then?
>
> --
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> --- please respond in newsgroup, NOT by private email ---
>
> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)> wrote on
> 19 okt 2004 in microsoft.public.win2000.termserv.apps:
>
> > Hi again,
> >
> > Ok, then there must be something missing. The reason I ask
> > about AD is because when following the directions in KB315675 it
> > says I should get to Group Policy from AD. I go to Start,
> > Programs and then Administrative Tools but Active Directory
> > Users & Computers doesn't show up at all. This Terminal Server
> > is joined to a domain.
> >
> > I can get to Group Policy when reviewing next steps for the
> > Terminal Server and then configuring server settings, but I
> > don't seem to be able to get Properties on a group policy
> > object. That's about where I'm stuck.
> >
> > Thanks for the clarification on the OS/newsgroups thing --
> >
> >
> >
> > "Vera Noest [MVP]" wrote:
> >
> >> No, it should work if your Terminal server is a member of a
> >> domain (not a standalone server in a workgroup).
> >>
> >> Why doesn't this work for you? You do see the Security tab
> >> under the properties of the GPO, do you? What exactly is the
> >> problem in applying this?
> >>
> >> Regarding newsgroups: there is no newsgroup especially for 2003
> >> TS. Microsoft tries to get rid of the OS-specific newsgroups.
> >> The TS newsgroup with the most traffic nowadays is
> >> microsoft.public.windows.terminal_services, but it's no big
> >> deal where you post.
> >>
> >> --
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> http://hem.fyristorg.com/vera/IT
> >> --- please respond in newsgroup, NOT by private email ---
> >>
> >> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)> wrote
> >> on 19 okt 2004 in microsoft.public.win2000.termserv.apps:
> >>
> >> > Hello,
> >> >
> >> > Thanks for the quick reply!
> >> >
> >> > I checked out that article and got part of the way there, but
> >> > we're running Windows Server 2003 (couldn't find the
> >> > newsgroup for that and Terminal Services although I tried)
> >> > and the Terminal Server doesn't have Active Directory
> >> > installed. The domain controller does, but it's a separate
> >> > server.
> >> > Should Active Directory be installed on the Terminal Server
> >> > in order for
> >> > those changes to be made possible?
> >> >
> >> > Thank you!
> >> >
> >> >
> >> >
> >> > "Vera Noest [MVP]" wrote:
> >> >
> >> >> Have you tried to configure "Deny" to the right to "Apply
> >> >> this policy" for Administrators?
> >> >>
> >> >> 315675 - HOW TO: Keep Domain Group Policies from Applying to
> >> >> Administrator Accounts and Selected Users in Windows 2000
> >> >> http://support.microsoft.com/?kbid=315675
> >> >>
> >> >> --
> >> >> Vera Noest
> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> >> http://hem.fyristorg.com/vera/IT
> >> >> --- please respond in newsgroup, NOT by private email ---
> >> >>
> >> >> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)>
> >> >> wrote on 18 okt 2004 in
> >> >> microsoft.public.win2000.termserv.apps:
> >> >>
> >> >> > Hello,
> >> >> >
> >> >> > I've been looking at Group Policy settings to make it so
> >> >> > that users do not have the option to shut down the
> >> >> > Terminal Server but administrators do. Could anyone let
> >> >> > me know exactly how to set that up? So far everything
> >> >> > I've tried has resulted in both administrators and users
> >> >> > not having the 'shut down' command visible next to the
> >> >> > 'log off' command. Thank you.
>
>

OK, I'm glad you solved it, and thanks for reporting back here!
I'll add KB 816100 to my website, might help someone else as well.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

"=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)> wrote on
20 okt 2004 in microsoft.public.win2000.termserv.apps:

> Actually, think I may have found the solution just now and it
> has partly to do with that. Found KB816100 which is specific to
> Server 2003 (although not all that different). I did as you
> said, edited the GPO from a domain controller and, using the
> instructions in KB292655, set it to Deny application of the
> Group Policy to Domain admins.
>
> Then created a custom.mmc on the Terminal Server, adding the
> Group Policy snap-in. I set it to edit the Default Domain
> Policy rather than a local policy.
>
> From there I went to Users Configuration, Administrative
> Templates, Start Menu and Taskbar, and from there enabled
> 'Remove and Prevent Access to the Shutdown Command".
>
> Now I see I probably could have made those changes to the GPO
> from the Terminal Server at the beginning if I'd done it via
> snap-in on the MMC in the first place. I tested to see if this
> all works by logging in as a regular user (no shutdown command
> available) and then as an admin (shutdown available), so it
> seems to be working. Thanks for the tips! They helped a lot.
>
>
>
> "Vera Noest [MVP]" wrote:
>
>> Have you tried to configure the GPO from a different server in
>> the domain, maybe the DC? Does it work then?
>>
>> --
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> http://hem.fyristorg.com/vera/IT
>> --- please respond in newsgroup, NOT by private email ---
>>
>> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)> wrote
>> on 19 okt 2004 in microsoft.public.win2000.termserv.apps:
>>
>> > Hi again,
>> >
>> > Ok, then there must be something missing. The reason I ask
>> > about AD is because when following the directions in KB315675
>> > it says I should get to Group Policy from AD. I go to Start,
>> > Programs and then Administrative Tools but Active Directory
>> > Users & Computers doesn't show up at all. This Terminal
>> > Server is joined to a domain.
>> >
>> > I can get to Group Policy when reviewing next steps for the
>> > Terminal Server and then configuring server settings, but I
>> > don't seem to be able to get Properties on a group policy
>> > object. That's about where I'm stuck.
>> >
>> > Thanks for the clarification on the OS/newsgroups thing --
>> >
>> >
>> >
>> > "Vera Noest [MVP]" wrote:
>> >
>> >> No, it should work if your Terminal server is a member of a
>> >> domain (not a standalone server in a workgroup).
>> >>
>> >> Why doesn't this work for you? You do see the Security tab
>> >> under the properties of the GPO, do you? What exactly is the
>> >> problem in applying this?
>> >>
>> >> Regarding newsgroups: there is no newsgroup especially for
>> >> 2003 TS. Microsoft tries to get rid of the OS-specific
>> >> newsgroups. The TS newsgroup with the most traffic nowadays
>> >> is microsoft.public.windows.terminal_services, but it's no
>> >> big deal where you post.
>> >>
>> >> --
>> >> Vera Noest
>> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> http://hem.fyristorg.com/vera/IT
>> >> --- please respond in newsgroup, NOT by private email ---
>> >>
>> >> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)>
>> >> wrote on 19 okt 2004 in
>> >> microsoft.public.win2000.termserv.apps:
>> >>
>> >> > Hello,
>> >> >
>> >> > Thanks for the quick reply!
>> >> >
>> >> > I checked out that article and got part of the way there,
>> >> > but we're running Windows Server 2003 (couldn't find the
>> >> > newsgroup for that and Terminal Services although I tried)
>> >> > and the Terminal Server doesn't have Active Directory
>> >> > installed. The domain controller does, but it's a
>> >> > separate server.
>> >> > Should Active Directory be installed on the Terminal
>> >> > Server in order for
>> >> > those changes to be made possible?
>> >> >
>> >> > Thank you!
>> >> >
>> >> >
>> >> >
>> >> > "Vera Noest [MVP]" wrote:
>> >> >
>> >> >> Have you tried to configure "Deny" to the right to "Apply
>> >> >> this policy" for Administrators?
>> >> >>
>> >> >> 315675 - HOW TO: Keep Domain Group Policies from Applying
>> >> >> to Administrator Accounts and Selected Users in Windows
>> >> >> 2000 http://support.microsoft.com/?kbid=315675
>> >> >>
>> >> >> --
>> >> >> Vera Noest
>> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> >> http://hem.fyristorg.com/vera/IT
>> >> >> --- please respond in newsgroup, NOT by private email
>> >> >> ---
>> >> >>
>> >> >> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)>
>> >> >> wrote on 18 okt 2004 in
>> >> >> microsoft.public.win2000.termserv.apps:
>> >> >>
>> >> >> > Hello,
>> >> >> >
>> >> >> > I've been looking at Group Policy settings to make it
>> >> >> > so that users do not have the option to shut down the
>> >> >> > Terminal Server but administrators do. Could anyone
>> >> >> > let me know exactly how to set that up? So far
>> >> >> > everything I've tried has resulted in both
>> >> >> > administrators and users not having the 'shut down'
>> >> >> > command visible next to the 'log off' command. Thank
>> >> >> > you.

Hi Vera,

Thank you. Unfortunately, something slightly unexpected happened (although
I wondered if this might happen): the changes propagated throughout the
domain, so everyone's computer lost its shutdown button. Whoops! I thought
that might happened if I configured the domain policy.

I added a snap-in for GPO to the MMC, this time for Local Computer Policy
rather than Default Domain Policy, hoping I could make the same changes as
before, just to the local computer, and have them work. If I get Properties
on Default Domain Policy it does have a Security tab where I can specify
permissions on applying Group Policy, but when I go to Local Computer Policy
and get Properties there is no Security tab, just a General tab. Any ideas
on what I could do to get it working correctly (i.e. make sure Group Policy
does not apply to Administrators on the local machine/Terminal Server)?

Thank you!


"Vera Noest [MVP]" wrote:

> OK, I'm glad you solved it, and thanks for reporting back here!
> I'll add KB 816100 to my website, might help someone else as well.
>
> --
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> --- please respond in newsgroup, NOT by private email ---
>
> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)> wrote on
> 20 okt 2004 in microsoft.public.win2000.termserv.apps:
>
> > Actually, think I may have found the solution just now and it
> > has partly to do with that. Found KB816100 which is specific to
> > Server 2003 (although not all that different). I did as you
> > said, edited the GPO from a domain controller and, using the
> > instructions in KB292655, set it to Deny application of the
> > Group Policy to Domain admins.
> >
> > Then created a custom.mmc on the Terminal Server, adding the
> > Group Policy snap-in. I set it to edit the Default Domain
> > Policy rather than a local policy.
> >
> > From there I went to Users Configuration, Administrative
> > Templates, Start Menu and Taskbar, and from there enabled
> > 'Remove and Prevent Access to the Shutdown Command".
> >
> > Now I see I probably could have made those changes to the GPO
> > from the Terminal Server at the beginning if I'd done it via
> > snap-in on the MMC in the first place. I tested to see if this
> > all works by logging in as a regular user (no shutdown command
> > available) and then as an admin (shutdown available), so it
> > seems to be working. Thanks for the tips! They helped a lot.
> >
> >
> >
> > "Vera Noest [MVP]" wrote:
> >
> >> Have you tried to configure the GPO from a different server in
> >> the domain, maybe the DC? Does it work then?
> >>
> >> --
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> http://hem.fyristorg.com/vera/IT
> >> --- please respond in newsgroup, NOT by private email ---
> >>
> >> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)> wrote
> >> on 19 okt 2004 in microsoft.public.win2000.termserv.apps:
> >>
> >> > Hi again,
> >> >
> >> > Ok, then there must be something missing. The reason I ask
> >> > about AD is because when following the directions in KB315675
> >> > it says I should get to Group Policy from AD. I go to Start,
> >> > Programs and then Administrative Tools but Active Directory
> >> > Users & Computers doesn't show up at all. This Terminal
> >> > Server is joined to a domain.
> >> >
> >> > I can get to Group Policy when reviewing next steps for the
> >> > Terminal Server and then configuring server settings, but I
> >> > don't seem to be able to get Properties on a group policy
> >> > object. That's about where I'm stuck.
> >> >
> >> > Thanks for the clarification on the OS/newsgroups thing --
> >> >
> >> >
> >> >
> >> > "Vera Noest [MVP]" wrote:
> >> >
> >> >> No, it should work if your Terminal server is a member of a
> >> >> domain (not a standalone server in a workgroup).
> >> >>
> >> >> Why doesn't this work for you? You do see the Security tab
> >> >> under the properties of the GPO, do you? What exactly is the
> >> >> problem in applying this?
> >> >>
> >> >> Regarding newsgroups: there is no newsgroup especially for
> >> >> 2003 TS. Microsoft tries to get rid of the OS-specific
> >> >> newsgroups. The TS newsgroup with the most traffic nowadays
> >> >> is microsoft.public.windows.terminal_services, but it's no
> >> >> big deal where you post.
> >> >>
> >> >> --
> >> >> Vera Noest
> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> >> http://hem.fyristorg.com/vera/IT
> >> >> --- please respond in newsgroup, NOT by private email ---
> >> >>
> >> >> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)>
> >> >> wrote on 19 okt 2004 in
> >> >> microsoft.public.win2000.termserv.apps:
> >> >>
> >> >> > Hello,
> >> >> >
> >> >> > Thanks for the quick reply!
> >> >> >
> >> >> > I checked out that article and got part of the way there,
> >> >> > but we're running Windows Server 2003 (couldn't find the
> >> >> > newsgroup for that and Terminal Services although I tried)
> >> >> > and the Terminal Server doesn't have Active Directory
> >> >> > installed. The domain controller does, but it's a
> >> >> > separate server.
> >> >> > Should Active Directory be installed on the Terminal
> >> >> > Server in order for
> >> >> > those changes to be made possible?
> >> >> >
> >> >> > Thank you!
> >> >> >
> >> >> >
> >> >> >
> >> >> > "Vera Noest [MVP]" wrote:
> >> >> >
> >> >> >> Have you tried to configure "Deny" to the right to "Apply
> >> >> >> this policy" for Administrators?
> >> >> >>
> >> >> >> 315675 - HOW TO: Keep Domain Group Policies from Applying
> >> >> >> to Administrator Accounts and Selected Users in Windows
> >> >> >> 2000 http://support.microsoft.com/?kbid=315675
> >> >> >>
> >> >> >> --
> >> >> >> Vera Noest
> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> >> >> http://hem.fyristorg.com/vera/IT
> >> >> >> --- please respond in newsgroup, NOT by private email
> >> >> >> ---
> >> >> >>
> >> >> >> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)>
> >> >> >> wrote on 18 okt 2004 in
> >> >> >> microsoft.public.win2000.termserv.apps:
> >> >> >>
> >> >> >> > Hello,
> >> >> >> >
> >> >> >> > I've been looking at Group Policy settings to make it
> >> >> >> > so that users do not have the option to shut down the
> >> >> >> > Terminal Server but administrators do. Could anyone
> >> >> >> > let me know exactly how to set that up? So far
> >> >> >> > everything I've tried has resulted in both
> >> >> >> > administrators and users not having the 'shut down'
> >> >> >> > command visible next to the 'log off' command. Thank
> >> >> >> > you.
>

What you have to do is put the Terminal server in a separate OU,
and then create a TS-specific GPO with the "remove shutdown
button" setting and all other settings that you want to apply to
TS sessions. Link you TS GPO to this TS OU and configure the GPO
with "Loopback processing" and the "Replace" option".

260370 - How to Apply Group Policy Objects to Terminal Services
Servers
http://support.microsoft.com/?kbid=260370

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

"=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)> wrote on
21 okt 2004 in microsoft.public.win2000.termserv.apps:

> Hi Vera,
>
> Thank you. Unfortunately, something slightly unexpected
> happened (although I wondered if this might happen): the
> changes propagated throughout the domain, so everyone's computer
> lost its shutdown button. Whoops! I thought that might
> happened if I configured the domain policy.
>
> I added a snap-in for GPO to the MMC, this time for Local
> Computer Policy rather than Default Domain Policy, hoping I
> could make the same changes as before, just to the local
> computer, and have them work. If I get Properties on Default
> Domain Policy it does have a Security tab where I can specify
> permissions on applying Group Policy, but when I go to Local
> Computer Policy and get Properties there is no Security tab,
> just a General tab. Any ideas on what I could do to get it
> working correctly (i.e. make sure Group Policy does not apply to
> Administrators on the local machine/Terminal Server)?
>
> Thank you!
>
>
> "Vera Noest [MVP]" wrote:
>
>> OK, I'm glad you solved it, and thanks for reporting back here!
>> I'll add KB 816100 to my website, might help someone else as
>> well.
>>
>> --
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> http://hem.fyristorg.com/vera/IT
>> --- please respond in newsgroup, NOT by private email ---
>>
>> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)> wrote
>> on 20 okt 2004 in microsoft.public.win2000.termserv.apps:
>>
>> > Actually, think I may have found the solution just now and it
>> > has partly to do with that. Found KB816100 which is specific
>> > to Server 2003 (although not all that different). I did as
>> > you said, edited the GPO from a domain controller and, using
>> > the instructions in KB292655, set it to Deny application of
>> > the Group Policy to Domain admins.
>> >
>> > Then created a custom.mmc on the Terminal Server, adding the
>> > Group Policy snap-in. I set it to edit the Default Domain
>> > Policy rather than a local policy.
>> >
>> > From there I went to Users Configuration, Administrative
>> > Templates, Start Menu and Taskbar, and from there enabled
>> > 'Remove and Prevent Access to the Shutdown Command".
>> >
>> > Now I see I probably could have made those changes to the GPO
>> > from the Terminal Server at the beginning if I'd done it via
>> > snap-in on the MMC in the first place. I tested to see if
>> > this all works by logging in as a regular user (no shutdown
>> > command available) and then as an admin (shutdown available),
>> > so it seems to be working. Thanks for the tips! They helped
>> > a lot.
>> >
>> >
>> >
>> > "Vera Noest [MVP]" wrote:
>> >
>> >> Have you tried to configure the GPO from a different server
>> >> in the domain, maybe the DC? Does it work then?
>> >>
>> >> --
>> >> Vera Noest
>> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> http://hem.fyristorg.com/vera/IT
>> >> --- please respond in newsgroup, NOT by private email ---
>> >>
>> >> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)>
>> >> wrote on 19 okt 2004 in
>> >> microsoft.public.win2000.termserv.apps:
>> >>
>> >> > Hi again,
>> >> >
>> >> > Ok, then there must be something missing. The reason I
>> >> > ask about AD is because when following the directions in
>> >> > KB315675 it says I should get to Group Policy from AD. I
>> >> > go to Start, Programs and then Administrative Tools but
>> >> > Active Directory Users & Computers doesn't show up at all.
>> >> > This Terminal Server is joined to a domain.
>> >> >
>> >> > I can get to Group Policy when reviewing next steps for
>> >> > the Terminal Server and then configuring server settings,
>> >> > but I don't seem to be able to get Properties on a group
>> >> > policy object. That's about where I'm stuck.
>> >> >
>> >> > Thanks for the clarification on the OS/newsgroups thing --
>> >> >
>> >> >
>> >> >
>> >> > "Vera Noest [MVP]" wrote:
>> >> >
>> >> >> No, it should work if your Terminal server is a member of
>> >> >> a domain (not a standalone server in a workgroup).
>> >> >>
>> >> >> Why doesn't this work for you? You do see the Security
>> >> >> tab under the properties of the GPO, do you? What exactly
>> >> >> is the problem in applying this?
>> >> >>
>> >> >> Regarding newsgroups: there is no newsgroup especially
>> >> >> for 2003 TS. Microsoft tries to get rid of the
>> >> >> OS-specific newsgroups. The TS newsgroup with the most
>> >> >> traffic nowadays is
>> >> >> microsoft.public.windows.terminal_services, but it's no
>> >> >> big deal where you post.
>> >> >>
>> >> >> --
>> >> >> Vera Noest
>> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> >> http://hem.fyristorg.com/vera/IT
>> >> >> --- please respond in newsgroup, NOT by private email
>> >> >> ---
>> >> >>
>> >> >> "=?Utf-8?B?QUpXUw==?=" <(E-Mail Removed)>
>> >> >> wrote on 19 okt 2004 in
>> >> >> microsoft.public.win2000.termserv.apps:
>> >> >>
>> >> >> > Hello,
>> >> >> >
>> >> >> > Thanks for the quick reply!
>> >> >> >
>> >> >> > I checked out that article and got part of the way
>> >> >> > there, but we're running Windows Server 2003 (couldn't
>> >> >> > find the newsgroup for that and Terminal Services
>> >> >> > although I tried) and the Terminal Server doesn't have
>> >> >> > Active Directory installed. The domain controller
>> >> >> > does, but it's a separate server.
>> >> >> > Should Active Directory be installed on the Terminal
>> >> >> > Server in order for
>> >> >> > those changes to be made possible?
>> >> >> >
>> >> >> > Thank you!
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > "Vera Noest [MVP]" wrote:
>> >> >> >
>> >> >> >> Have you tried to configure "Deny" to the right to
>> >> >> >> "Apply this policy" for Administrators?
>> >> >> >>
>> >> >> >> 315675 - HOW TO: Keep Domain Group Policies from
>> >> >> >> Applying to Administrator Accounts and Selected Users
>> >> >> >> in Windows 2000
>> >> >> >> http://support.microsoft.com/?kbid=315675
>> >> >> >>
>> >> >> >> --
>> >> >> >> Vera Noest
>> >> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> >> >> http://hem.fyristorg.com/vera/IT
>> >> >> >> --- please respond in newsgroup, NOT by private email
>> >> >> >> ---
>> >> >> >>
>> >> >> >> "=?Utf-8?B?QUpXUw==?="
>> >> >> >> <(E-Mail Removed)> wrote on 18 okt 2004
>> >> >> >> in microsoft.public.win2000.termserv.apps:
>> >> >> >>
>> >> >> >> > Hello,
>> >> >> >> >
>> >> >> >> > I've been looking at Group Policy settings to make
>> >> >> >> > it so that users do not have the option to shut down
>> >> >> >> > the Terminal Server but administrators do. Could
>> >> >> >> > anyone let me know exactly how to set that up? So
>> >> >> >> > far everything I've tried has resulted in both
>> >> >> >> > administrators and users not having the 'shut down'
>> >> >> >> > command visible next to the 'log off' command.
>> >> >> >> > Thank you.