Controling Terminal Server Shutdowns/Reboots

Denied

Here is a quick and easy way to control who can/can’t shutdown or reboot your terminal server (TS). You’d be surprised how many times I’ve seen this enabled for all users when we take over an established client’s infrastructure. This quick guide will show you how to enable shutdown/reboot of a TS by a specific group of users and disable it for all other users. There are other ways to do this, but I prefer this method because its quick and easy, especially if you only have one or two TS’s. Keep in mind, this also applies to users logging in locally, not just through RDP.

First we need to create a global security group in our active directory. In my case, I call it “Shutdown TS”. Now add whichever users you would like to be able to shutdown the TS to the newly created group.

Next, we’ll need to open the local security policy on the TS. (See image below)

Then we’ll navigate to: Computer Config -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. Find the policy called “Shut down the system” (See image below)

Find Policy

Now we need to double-click the policy to edit it. Remove any groups you don’t want to have and add the newly created group. (See image below)

Add Group

 

Finally, we just need to force the group policy to update. Run “gpupdate /force”

Below are images from two different users’ start menu. Administrator is in the group and temp is not.