Prevent remote users from shutting down/rebooting the XP/VS Terminal Server

mona
2010-11-15 16:10

This FAQ describes how to prevent users from shutting down or restarting your server where XP/VS Server is installed.

Basically there are two possibilities to distinguish:

  1. Hiding the entries “Shut down” and “Restart” in the Start Menu:
    If shutdown/restart/suspend/hibernate options are missing in the menu, this does not mean that a normal user does not have the privilege to shut down the machine.The user still can shut down the computer by using e.g. the shutdown command from command line.
    • Open the Local Group Policy Editor: Start -> Run -> Enter gpedit.msc
    • Move to User  Configuration/ Administrative Templates/ Start Menu and Taskbar
    • Enable “Remove and Prevent access to the Shut Down from Start Menu”
  2. Removing the user’s shutdown-privilege
    This is the right and effective way to solve that issue.

Removing the user’s shutdown-privilege

For the following operating systems (except “Home” Editions)

  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows Server 2003 (SBS) 
  • Windows Server 2008 (R2)

Log in with administrative rights: Start -> Run -> Enter: secpol.msc (Security Policy Editor).
Move to Local Policy/ User Right Assignment and on the right pane open “Shut down the system”.
This security setting determines which user (who is logged in remotely) has the privilege to shut down the operating system.
Default settings for servers (where XP/VS Server is installed): Administrators and Backup Operators

Removing the user’s shutdown-privilege on Windows Home-Editions

Local Security Policy Editor is not included in Windows Home Edition, like Windows XP Home, Vista Home and Windows 7 Home.
The privilege to shut down the computer is called “SeShutdownPrivilege”. Configuring this privilege is more complicated in Windows Home Editions, because Security Policy Editor is not available.

But there is a solution to modify those settings, but two command line programs are required:

  1. Microsoft´s accesschk.exe
    This program displays the current privileges of users or groups.Download here: http://download.sysinternals.com/Files/accesschk.zip
    Information page: http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx
    After downloading copy accesschk.exe from the zip to your windows\system32 directory!Open a command prompt (as Administrator !) and enter the command
    accesschk -a UserOrGroupName *
    to see which privileges a user or group has: e.g. to list the privileges of the group Users use the following command:
    accesschk -a Users *


  2. If the privilege should be removed, a program called “ntrights.exe” from the Windows Resource Kit is required.
    Download the Windows Resources Kit here: http://www.microsoft.com/downloads/en/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en
    After successful installation, please copy ntrights.exe (from e.g. C:\Program Files (x86)\Windows Resource Kits\Tools) to C:\Windows\System32 and uninstall Resource Kit afterwards.
    Start the command prompt (“Run as Administrator”) and enter the command:
    ntrights -u UserOrGroupName -r PrivilegeName
    to revoke the privilege from a single user or group:


    To verify  that the privilege has been revoked use the command:
    accesschk -a Users *


    “SeShutdownPrivilege” is not listed anymore!
Tags: disable, reboot, remove, restart, SeShutdownPrivilege, shut down, shutdown-privilege, Start Menu, Taskbar