Solutions Through IT

March 9, 2011

Restrict a Security Group from shutting down a server

Filed under: Uncategorized — solutionsthroughit @ 14:14
  1. Depending on your Windows Server version you may need to install Group Policy Management Console ( 
    It is much easier to create and link Group Policy Objects with it than via object Properties in Active Directory Users and Computers.
  2. Open GPMC from Administrative Tools. 
    You will see your Domain at the top of the tree. 
    Expand the Domain and at the top you will see current linked policies, starting with the Default Domain Policy. 
    Policy Objects which apply to the whole Domain are linked here. 
    A bit further down you will see Domain Controllers and under that branch Policy Objects which apply only to Domain Controllers and headed up with the Default Domain Controllers Policy. 
    Further down, on an SBS Server, you see MyBusiness and its linked policies, if any. 
    Even further down the tree you will see the Group Policy Objects themselves. 
    These are all the GPO’s which have been created on the Domain. 
    They should be linked to one of the containers/objects above (and therefore their listing duplicated). 
    If a GPO isn’t linked to the top of the Domain or to any of the objects within that container it will have no effect.
  3. To create a new GPO, right-click on Group Policy Objects in the tree and choose ‘New’. 
    Give the new policy a meaningful name like “Disable Server Shutdown Policy”. 
    The new policy is created and automatically enabled, but you need to edit it, before it can do anything. 
    Right-click the new policy and select ‘Edit’. 
    In the Group Policy Object Editor, browse in the tree to User Configuration – Administrative Templates – Windows Components – Start Menu and Task Bar. 
    Nearly half-way down the list in the right-hand pane, double-click “Remove and prevent access to the Shut Down command”. 
    Select ‘Enabled’, and click ‘OK’ and close the Group Policy Object Editor. 
    Now you want to apply the policy to Backup Operators only, so back in Group Policy Management, make sure your new policy is selected in the tree and in the right-hand pane select the ‘Scope’ tab. By default it will list Authenticated Users. 
    Remove Authenticated Users and add Backup Operators (of course make sure you or any user/group you don’t want restricted are not in this group).
  4. You have made the GPO, now you need to link it. 
    You may want to link the GPO to the Domain Controller(s), in which case you will right-click Domain Controllers in the Group Policy Management tree and select ‘Link an existing GPO’. 
    Select the new GPO from the list and click ‘OK’. 
    If you have servers in any other Organisational Unit (OU), for example the SBSServers (OU) you might want to link the GPO there too.
  5. That’s it.
    To refresh Group Policy on the DC or any computer on the Domain type gpupdate /force at a Command Prompt. This forces policy changes to be implemented right away instead of at the default interval (approximately 90 minutes).
    It is advisable to test new policies before final implementation. You could temporarily replace Backup Operators in the Scope of the GPO with a test user and logon as that user to test the effect of the new policy. You can also use the Group Policy Modelling Wizard (right-click Group Policy Modelling near the bottom of the GPMC tree) to check the effect of your policy configuration on selected users, groups or computers.

Reprinted with permissions. Article originally by Don Tibbits of Brainbox Solutions


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Create a free website or blog at

%d bloggers like this: