What do they really mean by this? I was able to shut down a server with no
users having this user right, using terminal services. I took everyone out
of this user right, and I refreshed the policy then connected to the server
via terminal services, and proceeded to shut it down, no problem. What kind
of tool does this policy expect the remote user is going to be using to
accomplish the shutdown? 'Cuz it sure ain't terminal services.

Any ideas appreciated.

- wrote:
What do they really mean by this? I was able to shut down a server
with no users having this user right, using terminal services. I
took everyone out of this user right, and I refreshed the policy
then connected to the server via terminal services, and proceeded
to shut it down, no problem. What kind of tool does this policy
expect the remote user is going to be using to accomplish the
shutdown? 'Cuz it sure ain't terminal services.
Any ideas appreciated.

Who are 'they" and where are you getting this from?
IE: methinks you left out a few details.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Generally speaking a terminal services login is considered
to be a local login as there is a winstation session.
Remote login is via such as a WMI shutdown command,
which is a small network transmission.

- wrote in message ...
What do they really mean by this? I was able to shut down a server with
no users having this user right, using terminal services. I took everyone
out of this user right, and I refreshed the policy then connected to the
server via terminal services, and proceeded to shut it down, no problem.
What kind of tool does this policy expect the remote user is going to be
using to accomplish the shutdown? 'Cuz it sure ain't terminal services.

Any ideas appreciated.

"Shenan Stanley" wrote in message
...
- wrote:
What do they really mean by this? I was able to shut down a server
with no users having this user right, using terminal services. I
took everyone out of this user right, and I refreshed the policy
then connected to the server via terminal services, and proceeded
to shut it down, no problem. What kind of tool does this policy
expect the remote user is going to be using to accomplish the
shutdown? 'Cuz it sure ain't terminal services.
Any ideas appreciated.

Who are 'they" and where are you getting this from?
IE: methinks you left out a few details.


I believe the "they" is MSFT when "this" user right
was given a descriptive name, which differs in XP
where it is "Force shutdown from a remote system"

Roger

How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

- wrote:
What do they really mean by this? I was able to shut down a
server with no users having this user right, using terminal
services. I took everyone out of this user right, and I
refreshed the policy then connected to the server via terminal
services, and proceeded to shut it down, no problem. What kind
of tool does this policy expect the remote user is going to be
using to accomplish the shutdown? 'Cuz it sure ain't terminal
services. Any ideas appreciated.

Shenan Stanley wrote:
Who are 'they" and where are you getting this from?
IE: methinks you left out a few details.

Roger Abell [MVP] wrote:
I believe the "they" is MSFT when "this" user right
was given a descriptive name, which differs in XP
where it is "Force shutdown from a remote system"

Ah.. Thanks Roger.
I appreciate the clarification.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

I think you are refering to a GP setting and this can override someone with
local admin privs on a box from executing a remote shut down with the
"shutdown" command.

e.g.

shutdown /s /m \\jimbo /e "I am being annoying and shutting down Jimbo's
workstation"

Kind regards,

Jimbo.

- wrote in message ...
What do they really mean by this? I was able to shut down a server with
no users having this user right, using terminal services. I took everyone
out of this user right, and I refreshed the policy then connected to the
server via terminal services, and proceeded to shut it down, no problem.
What kind of tool does this policy expect the remote user is going to be
using to accomplish the shutdown? 'Cuz it sure ain't terminal services.

Any ideas appreciated.

"James Saveker" wrote in message
...
I think you are refering to a GP setting and this can override someone with
local admin privs on a box from executing a remote shut down with the
"shutdown" command.

e.g.

shutdown /s /m \\jimbo /e "I am being annoying and shutting down Jimbo's
workstation"


Ummm . . . no, this user right grants that capability,
not denies it, so it certainly cannot be used to prevent
an account from using their capabilities.

- wrote in message ...
What do they really mean by this? I was able to shut down a server with
no users having this user right, using terminal services. I took
everyone out of this user right, and I refreshed the policy then
connected to the server via terminal services, and proceeded to shut it
down, no problem. What kind of tool does this policy expect the remote
user is going to be using to accomplish the shutdown? 'Cuz it sure ain't
terminal services.

Any ideas appreciated.

But, in terms of the _method_ of shutdown, the shutdown.exe command is the
only method this policy addresses?


"Roger Abell [MVP]" wrote in message
...
"James Saveker" wrote in message
...
I think you are refering to a GP setting and this can override someone
with local admin privs on a box from executing a remote shut down with the
"shutdown" command.

e.g.

shutdown /s /m \\jimbo /e "I am being annoying and shutting down Jimbo's
workstation"


Ummm . . . no, this user right grants that capability,
not denies it, so it certainly cannot be used to prevent
an account from using their capabilities.

- wrote in message ...
What do they really mean by this? I was able to shut down a server with
no users having this user right, using terminal services. I took
everyone out of this user right, and I refreshed the policy then
connected to the server via terminal services, and proceeded to shut it
down, no problem. What kind of tool does this policy expect the remote
user is going to be using to accomplish the shutdown? 'Cuz it sure
ain't terminal services.

Any ideas appreciated.

No.

shutdown.exe is just a little exe MS made available at one time that has
stuck

I have spent a little time trying to see whether I can find a statement as
to just
exactly what APIs, what providers, what namespace classes' methodes are
covered by this settings.

Hoevers, all that I have found just says, as this from the W2k3 Security
Guide
quote
This policy setting determines whether users can shut down computers from
remote locations on the network. Any user who can shut down a computer could
cause a DoS condition. Therefore, this user right should be tightly
restricted.

/quote

In other words, the statements I have seen just make unconditional statement
that this allows use of remote means for shutdown, from which it seems that
all available ways are wired to obey thius right.

I know that when I use Wmi it is a requirement that one specify the shutdown
right when initially instancing the objects one uses (and of course this
explicit
request is only honored if it is granted to the account in use) because
otherwise
this is not enabled on the object obtained even when allowed to the account
used.



- wrote in message ...
But, in terms of the _method_ of shutdown, the shutdown.exe command is the
only method this policy addresses?


"Roger Abell [MVP]" wrote in message
...
"James Saveker" wrote in message
...
I think you are refering to a GP setting and this can override someone
with local admin privs on a box from executing a remote shut down with
the "shutdown" command.

e.g.

shutdown /s /m \\jimbo /e "I am being annoying and shutting down Jimbo's
workstation"


Ummm . . . no, this user right grants that capability,
not denies it, so it certainly cannot be used to prevent
an account from using their capabilities.

- wrote in message ...
What do they really mean by this? I was able to shut down a server
with no users having this user right, using terminal services. I took
everyone out of this user right, and I refreshed the policy then
connected to the server via terminal services, and proceeded to shut it
down, no problem. What kind of tool does this policy expect the remote
user is going to be using to accomplish the shutdown? 'Cuz it sure
ain't terminal services.

Any ideas appreciated.

So, what exactly is the point of this policy, it doesn't really seem to do
anything.


"Roger Abell [MVP]" wrote in message
...
No.

shutdown.exe is just a little exe MS made available at one time that has
stuck

I have spent a little time trying to see whether I can find a statement as
to just
exactly what APIs, what providers, what namespace classes' methodes are
covered by this settings.

Hoevers, all that I have found just says, as this from the W2k3 Security
Guide
quote
This policy setting determines whether users can shut down computers from
remote locations on the network. Any user who can shut down a computer
could cause a DoS condition. Therefore, this user right should be tightly
restricted.

/quote

In other words, the statements I have seen just make unconditional
statement
that this allows use of remote means for shutdown, from which it seems
that
all available ways are wired to obey thius right.

I know that when I use Wmi it is a requirement that one specify the
shutdown
right when initially instancing the objects one uses (and of course this
explicit
request is only honored if it is granted to the account in use) because
otherwise
this is not enabled on the object obtained even when allowed to the
account used.



- wrote in message ...
But, in terms of the _method_ of shutdown, the shutdown.exe command is
the only method this policy addresses?


"Roger Abell [MVP]" wrote in message
...
"James Saveker" wrote in message
...
I think you are refering to a GP setting and this can override someone
with local admin privs on a box from executing a remote shut down with
the "shutdown" command.

e.g.

shutdown /s /m \\jimbo /e "I am being annoying and shutting down
Jimbo's workstation"


Ummm . . . no, this user right grants that capability,
not denies it, so it certainly cannot be used to prevent
an account from using their capabilities.

- wrote in message ...
What do they really mean by this? I was able to shut down a server
with no users having this user right, using terminal services. I took
everyone out of this user right, and I refreshed the policy then
connected to the server via terminal services, and proceeded to shut
it down, no problem. What kind of tool does this policy expect the
remote user is going to be using to accomplish the shutdown? 'Cuz it
sure ain't terminal services.

Any ideas appreciated.