This policy sets which user accounts can gain the "shutdown computer"
privilege, which is required to shutdown the computer. This is handled at
the authentication level.

Whenever a user logs into the system, whether from over the network or
locally at the computer, the system assigns that user login with a set of
privileges. Any program that user runs can only do what those privileges
allow for that user.

It should be impossible to shutdown the system unless you have this shutdown
privilege, regardless of which API or command is used.

When a user logs in from a network location, as is the case with say typing
\\computername into an explorer window, using the computer administrator or
other mmc console to remotely administrate another computer, using one of
the many command-line tools available to remotely administrate a remote
computer such as the NET and SHUTDOWN command, etc, the system that you are
connecting to realizes that this is a network login and either assigns or
unassigns the shutdown privilege based on that policy setting.

In short:

"Force shutdown from a remote system" controls who gets the system shutdown
privilege when logged in via networking services.

"Shut down the system" controls who gets the system shutdown privilege when
logged in interactively.

This last statement is the kicker - When you connect to a computer using
Remote Desktop, as was mentioned in another reply, you are given a desktop
as if you were physically at the computer; this is considered an
"interactive" login, and NOT a network login, so the second policy setting
is used in this case to determine whether to assign the shutdown privilege.


--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/

Thanks Jimmy,

That really does clarify it. Fortunately for us, the only way we shut down
or reboot DC's is from Remote Desktop, or that rare instance in which we are
physically at the box. It also illuminates why it was recommended to us to
have the DC policy not have anyone have this right.


"Jimmy Brush" wrote in message
...
This policy sets which user accounts can gain the "shutdown computer"
privilege, which is required to shutdown the computer. This is handled at
the authentication level.

Whenever a user logs into the system, whether from over the network or
locally at the computer, the system assigns that user login with a set of
privileges. Any program that user runs can only do what those privileges
allow for that user.

It should be impossible to shutdown the system unless you have this
shutdown privilege, regardless of which API or command is used.

When a user logs in from a network location, as is the case with say
typing \\computername into an explorer window, using the computer
administrator or other mmc console to remotely administrate another
computer, using one of the many command-line tools available to remotely
administrate a remote computer such as the NET and SHUTDOWN command, etc,
the system that you are connecting to realizes that this is a network
login and either assigns or unassigns the shutdown privilege based on that
policy setting.

In short:

"Force shutdown from a remote system" controls who gets the system
shutdown privilege when logged in via networking services.

"Shut down the system" controls who gets the system shutdown privilege
when logged in interactively.

This last statement is the kicker - When you connect to a computer using
Remote Desktop, as was mentioned in another reply, you are given a desktop
as if you were physically at the computer; this is considered an
"interactive" login, and NOT a network login, so the second policy setting
is used in this case to determine whether to assign the shutdown
privilege.


--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/

i can do a remote shutdown on any device with a mac address as long as
you are on the local network (even via rdp) using lan cables not wirless
and pc will shutoff but across net i dont know how even to detect this
and both would be good to lern any ideas?


--
jamieduk