I am here to give you some hints about restricting server restart/shutdown rights of any user role including local administrators and even domain admins. Unlike topic says, you can give restart/shutdown right to any user or user groups. For example a standard user can restart/shutdown a server by remotely executing commands with psexec or a domain admin can not restart/shutdown.
First of all, i would like to give a little background information about why you would need to restrict a local administrator not to be able to restart/shutdown a server. If you and your team is the only person that logs in to the server there is no problem with that scenario. But in some cases, you may have to give local administrator right to application admins like almost every single server that i am managing. Of course best practice is not to give admin right to application admins, but there are lots of 3rd party tools that require application admin to have admin rights in server.
As following figure shows, you can achieve restricting restart/shutdown from Local Security policy.
RUN --> gpedit.msc -- > Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> User Right Assigment -- > Shutdown the system.
If you remove all users and groups from the list, then nobody will be able to restart/shutdown the server. Depending on your case you can restrict this settings however you want to. But do not forget a local administrator has the right to change this policy, so in a workgroup environment you may not be able to restrict a local administrator. Here comes another advantage of using domains. If your server is in a domain environment and you change this settings by a Group Policy then, a local administrator will not be able to change this setting from local policy. Instead administrator will see a grayed out screen.
No comments:
Post a Comment