We set the GP setting for remote shutdowns to only be allowed by Domain Admins. This setting was placed in a domain level linked GPO we create for the non-SBS specific security settings called: Default Domain Security Policy.
But, when a non-domain admin remote user hits the "Windows Security" Vista based Start Menu option, they are presented with:
See that little red button on the bottom right hand side? They should not be seeing that. By clicking on it, they can shutdown the VM, the actual Remote Desktop server if it is a 1U dedicated box, or their local workstation. Windows XP does not show a shutdown option at all.
Not a good thing for the next person who needs access is it? 8*O
So, since we have a Vista dedicated policy on SBS now, and any machine based on Windows Vista should not be able to be shut down remotely, we will enable that setting.
When working on GP settings that are specific to Windows Vista, most changes must be done from a Vista based workstation. One must logon to the workstation as domain admin, open GPMC.msc from the search bar or Run command, and navigate through to the settings that need to be changed.
GPMC from via Windows Vista:
The first time one clicks on a GPO, the following notice will come up:
You have selected a link to a Group Policy Object (GPO). Except for changes to link properties, changes you make here are global to the GPO, and will impact all other locations where this GPO is linked.In other words, any changes made to the GPO will be implemented at the Domain level.
And now, we run into a bit of a problem.
Run GPEdit.msc on the local Visa machine, and there it is! The setting is implemented to not allow anyone to shut the system down remotely. But, the little red button is still there and the user can still run the shutdown command from within the command prompt.
There is an explanation, whether we are missing a Vista specific GP setting elsewhere, or it is an actual GP related bug in Vista. The Windows XP machines and VMs picked up the settings with no problems.
The puzzling thing is that we can move the user out of the local admin group into the RD Users group and they can still shut the system down! That is a real predicament as they no longer have admin rights!
We are turning to the Partner based News Groups for the next step. As soon as we know, you will! ;)
Microsoft Small Business Specialists
*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.