Tuesday, April 8, 2008

Restrict shutdown but not restart

Users at my company like to shut their systems down when they leave. That's all well and good, but it prevents late-night virus scanning and windows update... updates. So, I found a good way to stop this nonsense.

1. Using a User GPO, set the "Add Logoff to the Start Menu" and "Remove and prevent access to the Shut Down command" to "enabled". This is under User, Admin templates, Start menu and taskbar.

2. Using a Computer GPO, set the "Shutdown: Force shutdown from a remote system" and "Shutdown: Shut down the system" user right assignments to "INTERACTIVE". That's in Computer, Windows Settings, Security Settings, Local Policies/User Rights Assignment".

3. Make a shortcut to "%WINDIR%\System32\Shutdown.EXE -r -t 00". Make a startup script that will copy that shortcut to "%ALLUSERSPROFILE%\Start Menu".

4. Add the startup script to the Computer GPO and put the files in that GPO's startup script directory. The syntax of the file path for the shortcut that the script should reference is something like "\\mydomain.local\sysvol\mydomain.local\Policies\{GUID-OF-POLICY}\Machine\Scripts\Startup"

The vital piece was adding the "Shutdown: Force shutdown from a remote system" entry. Apparently this is a bug. I found the answer at Aaron Margosis's blog. Link

1 comment:

Moktarino said...

I realized that the users might not like a restart button without an "Are you sure?" popup, so I made a little VBS and redirected the shortcut. Works a charm.