just apply a group policy that enforces the SeShutdownPrivilege not to be applied to local administrators, but to a domain group instead. We used to have to do this when we were responsible for controlling a domain with administrators who thought they had the God-given right to take things offline that were governed by our SLAs. However, you might want to set up and add to this GPO a local user account that can shut down the system as well, just in case you lose domain connectivity and find yourself with a system you can't restart - although there is always the power cord, or RIB/DRAC/ILO reset function....
2008/12/10 Free, Bob <[EMAIL PROTECTED]> > SeShutdownPrivilege (Shut down the system) allows a user to restart, > sleep, or shutdown the computer. > > Be aware that administrators are also granted SeRemoteShutdownPrivilege > (Force shutdown from a remote system) by default. > > That said, I'm not sure how you are going to accomplish this if the > users have local admin rights. > > -----Original Message----- > From: Rick Berry [mailto:[EMAIL PROTECTED] > Sent: Wednesday, December 10, 2008 11:45 AM > To: NT System Admin Issues > Subject: deny restart local policy? > > does the Local Policy/User Rights Assignment/Shut Down The System part > of policy encompass a restart as well as shutdown? > > need to deny folks on a particular TS box that require local admin > rights the ability to reboot it. > > i don't recall if explicit denial of "shut down the system" also means > "you can't reboot it either sucka" > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
