Giovanni recently implemented an amazing system at the Platform Adoption Center at Microsoft to allow remote access to attendees to carry out labs. This is a mix or Terminal Services, System Center Virtual Machine Manager using the Self-Service portal, and lots of patience. The end result works extremely well, and we managed to integrate his solution with a Boot2VHD implementation carried out by yours truly.
The end result is an environment for 40 machines ready for virtualization labs (which cannot be virtualized). By using Boot2VHD, we clean the machines by simply booting to a “Clean Lab” partition that replaces the “dirty” differencing VHD with the “master” differencing VHD. It works extremely well and the beauty of it all is that (at least our solution) was implemented with WIndows Server 2008, no 3rd party tools were involved.
Anyhow, the environment works great – except when students shut down the machines. Since they are in a datacenter, if someone shuts down the machine, we have to contact the IT Admin to turn the servers back up, which can be really tiring. After some research, I found out that you can hide the “Shutdown/Restart” options in an OU, so even though this does not prevent them from shutting down the machines (they can use the shutdown command), it reduces the chances of having someone shut down the server.
So here is what you need to do:
1- Log in to your DC and right click at the OU node where you want the policy applied:
2- Name the policy something like “Prevent Shutdown Display”
3- Right click the newly created policy and select “Edit”
4- Expand User Configuration –> Administrative Templates –> Start Menu and Taskbar:
5- The right pane will display all related policies, look for one called Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands:
6- Double click the policy and select Enabled and click OK:
7- Your group policy is now in effect and users won’t see the buttons when they log in:
Alan Gunn says:
If you change the “Scope” settings on the GPO so instead of “Authenticated Users” it only applies to members of a new group called , say , “No Shutdown command (G)” then the GPO will only apply to the computeris in the OU if they are made members of the “No Shutdown command (G)” group.
🙂
Joe Jenkins says:
It seems like you could probably change the ntfs permissions on the shutdown command to the Administrators or Desktop Admins OU and totally prevent student class users from shutting down your servers. This GPO is a great first step.
I mandate this GPO for all terminal server users across all of our domains in our company. I haven’t had to start up a server a user shut off in a few years and it’s been great!
Michael says:
Great shutdown immobilizer, but the entire OU? – wish we had a better solution than a blanket one.