Remove shutdown but allow restart via Group Policy

27 Jul

I’ve noticed that all my users are all very green and keep turning their PC’s off. That’s great and all except the windows updates, virus scans etc. are all scheduled to run at night. So, if the PC is off, this never runs, or worse it runs when they turn it on in the morning and slows them down.

So, there were a few options I had to set. Firstly was to remove the shutdown option before users have logged on, this is here:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Shutdown: Allow system to be shut down without having to log on : Disabled

With that done, next I had to remove the option from the start menu once the user is logged in. In older GP’s there was an option to remove the ‘shutdown’ option (see here http://www.petri.co.il/forums/showthread.php?t=11454) but in 2008 the only option available is called:

Remove and prevent access to the Shut Down, restart, Sleep and Hibernate commands

This option can be found here:

User Configuration > Policies > Administrative Templates > Start Menu and Taskbar

Now, this wasn’t quite what I wanted as I still wanted them to be able to restart their PC without me having to VNC in to do it or call it remotely, so I decided to write a batch file that would perform a restart and copy it to the local machines via the GP.

The script, ‘restart.bat’ contains:

shutdown -r -t 10 -f -m 127.0.0.1 -c “This PC will restart in 10 seconds.”

I also created an icon (restart.ico, make a 32×32 bmp and just rename it to .ico) and used to the GP to copy both of these files to the local machine (in the same way that the wallpaper and screensaver are copied over). I then used the GP to create a new shortcut which would be placed in the Start menu and would allow the users to restart their PC.

Information on calling the shutdown command can be found here.

I also added another icon to run the script ‘gpupdate /force /boot’ and ‘Wuauclt /detectnow’, so if a user hasn’t got the latest software and windows updates, they can force it by clicking that.

Sorted.