Users should not shutdown or restart servers

[Bert Sierra]

I am trying to prevent "Shut Down" from appearing in the Win2K Start
menu for non-admin users of our Win2K servers. We have one server
operating as the domain controller (#1), and the other operating as a
backup (#2).

I have looked at the Local Security Settings for server #2, and under
"Security Settings > Local Policies > User Rights Assignment" I see the
following enabled only for Administrators, Power Users, and Backup
Operators:

Force shutdown from a remote system:
Administrators

Shut down the system:
Power Users, Backup Operators, Administrators

For the sample user I am looking at, she is not part of any of the above
groups: she is only part of "Domain Users", "Accounting" (which grants
access to Accounting-related share points), and "termusers" (which
grants access to Terminal Services-related share points). I don't
understand why "Shut Down" is enabled for her account.

I understand that there may be settings on the domain controller (#1)
which override the local settings of server #2. How do I access the
domain controller security settings? On server #1, I looked at "Start >
Programs > Administrative Tools > Domain Controller Security Policy" and
"... > Domain Security Policy" but could not understand what it was I
was looking at.

Any help would be appreciated.

 

[Steven L Umbach]

You need to make sure the "effective" security policy for the W2K servers
you want to restrict does not included users/authenticated users. For domain
controllers that user right is defined in Domain Controller Security Policy
which applies only to computers in the domain controllers container/OU. For
other domain computers you can configure it in their Local Security Policy
or at the domain/OU level if you are using such via a GPO for an OU.
Security policy is a subset of computer configuration under Windows
settings. On Windows 2000 computers if the local setting does not match the
"effective" setting then there is an overriding security policy at the
domain/OU level that you would need to configure to make it the desired
"effective" setting. Keep in mind that Group/security Policy is applied in
this order local>site>domain>OU>child OU where the last applied policy is
applied when a setting [such as user right] is defined in multiple policies.
The gpresult support tool can be very helpful in finding what GPO's are
applied to a computer/user. Group/security Policy applied at the domain/OU
level will not be applied until the next refresh of the policy. To speed
such up for W2K use secedit /refreshpolicy machine_policy /enforce first on
the domain controller and then on the domain computer where the new policy
is to be applied. --- Steve

 

[Julian Dragut]

Bert,

It's clear to me that you have a DC (srv#1) but the second I'm not sure if
it's DC as well.....
In any case, by default on the DC's plain users are not allowed to log on
locally, and the security policy (GP) should be addressed to the Domain
Controllers OU ( don't look at the local policy, it the first to be
bypassed )
In your case, the user is part of "termuser" which tells me that she
connects to the DC using TSClient, therefore she has log on locally "-"
If that's the case you may use TS settings to restrict users rights on the
server.
http://www.microsoft.com/technet/prodtechnol/win2kts/maintain/optimize/secw2kts.mspx
Hope it helps,
Julian Dragut