none
Disabling Shutdown for Only Remote Desktop Users on Windows 10 Anniversary Edition (Remote Interactive Logon vs INTERACTIVE)

    Question

  • Hello,

    I'd like to disable the shutdown/restart buttons on Windows 10 Anniversary Enterprise workstations while employees are logged in via RDP. We have a number of people who connect to their PCs remotely, and accidentally hit the shutdown button requiring a manual startup of the PC in the office.

    However, when actually at the desk we want them to be able to shut down their PCs when logged in locally. I see that by doing a whoami /groups that remote desktop users are a member of 'Remote Interactive Logon' group and the INTERACTIVE group, and users logged on directly to the console session of the machine (at the keyboard) are listed as INTERACTIVE

    Is there any way to filter between INTERACTIVE and Remote Interactive Logon groups? Is there any way to allow shutdown for users seated at the workstation but not when logged in remotely?

    Windows 7 seems to work this way out of the box.

    Is there something I am missing here?

    Desired Settings by User:

    • Underprivileged User #1 via RDP: Disconnect, Log Off (Can't Shutdown)
    • Underprivileged User #1 Logged In at Workstation: Disconnect, Restart, Shutdown, etc (Full Control)
    • Administrator via RDP: Disconnect, Restart, Shutdown, etc (Full Control)
    • Administrator Logged in at workstation: Disconnect, Restart, Shutdown, etc (Full Control)

    Thanks!

    Wednesday, January 11, 2017 12:59 AM

All replies

  • > Is there any way to filter between INTERACTIVE and Remote Interactive Logon groups? Is there any way to allow shutdown for users seated at the workstation but not when logged in remotely?
     
    There's more than one way to skin a cat - always :-)
     
    > Windows 7 seems to work this way out of the box.
     
    Yes, but it's quite cumbersome if you want to restart Win7 that you have to run shutdown -r instead of simply clicking a button. That's why this was changed.
     
    http://gpsearch.azurewebsites.net/#4635 - take this registry value and deploy it through Group Policy Preferences Registry. Add Item Level Targeting, Security Group - User is a member of. And check "remove if no longer applied".
     
    Wednesday, January 11, 2017 12:26 PM
  • Hi,

    Is there any way to filter between INTERACTIVE and Remote Interactive Logon groups? Is there any way to allow shutdown for users seated at the workstation but not when logged in remotely?

    Windows 7 seems to work this way out of the box.

    Is there something I am missing here?

    Desired Settings by User:

    • Underprivileged User #1 via RDP: Disconnect, Log Off (Can't Shutdown)
    • Underprivileged User #1 Logged In at Workstation: Disconnect, Restart, Shutdown, etc (Full Control)
    • Administrator via RDP: Disconnect, Restart, Shutdown, etc (Full Control)
    • Administrator Logged in at workstation: Disconnect, Restart, Shutdown, etc (Full Control)

    >>>On Windows 7, the RDP use only have disconnect and sign out.

    But on Windows 10, I suggest you create user, and give the user logon through remote desktop service permission. But remove it from shutdown the system setting.

    Here is an article below for your reference.

    http://www.ihatetheory.com/how-to-disable-the-shutdownreboot-privilege-for-rdp-user

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 11, 2017 2:19 PM
    Moderator
  • Hi,

    Are there any updates?

    If the reply above has resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar issue.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 23, 2017 6:24 AM
    Moderator
  • Hi,

    Are there any feedbacks?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 02, 2017 12:03 PM
    Moderator