~mjorgensen/jrgnsn.net

0cfc01ee2faf7f52a93977b4624a541783a4f61e — Matthew Jorgensen 9 months ago 70901f7
New blog post + images!

"Prevent Access to Shut Down Commands Except on my VMs"
A _posts/2019-10-25-Prevent-Access-to-Shut-Down-Commands-Except-on-my-VMs.md => _posts/2019-10-25-Prevent-Access-to-Shut-Down-Commands-Except-on-my-VMs.md +54 -0
@@ 0,0 1,54 @@
---
layout: post
title: "Remove and Prevent Access to Shut Down Commands Except on my
VMs"
---

I would do anything in my power to prevent the accidental shutdown of a
critical server. Unfortunately, Windows makes it *really easy* to
accidentally shut down a computer.

![Windows Start Menu - With Shut Down Commands Available](/content/2019-10-25/with_shutdown_commands.png)

Once slip of the wrist would cause you to "Shut down" a machine instead
of "Sign out" of it. I'm not perfect, I've made that mistake before.

Originally we created a Group Policy Object to control this behavior.
It's pretty easy to set up. 

I created a GPO and named it **Disable Shut Down Option on Start Menu -
Servers**, because I only want to control this behavior on servers. I
still want my users to be able to shut down their workstations!

Edit that GPO and navigate to `User Configuration -> Policies ->
Administrative Templates -> Start Menu and Taskbar` and **Enable**
the item called *Remove and prevent access to the Shut Down, Restart,
Sleep, and Hibernate commands*.

Since this policy configures items in *User Configuration*, this GPO
**must** be linked in an OU that contains users.[^1]

Now this GPO doesn't distinguish between client and server OS versions
yet. To do that, we need to create a WMI Filter. Originally I called
this WMI Filer *Non-client OSes*. I renamed it after I added the query
to check if the machine in question is one of my VMs. Since my VMs have
a standard naming convention, my **two** WMI queries looked like this:

```
SELECT Name FROM Win32_OperatingSystem WHERE ProductType > 1
SELECT Name FROM Win32_ComputerSystem WHERE NOT Name LIKE 'MLJ-VM%'
```

Based on my research, it's my understanding that GPO treats multiple
queries like this with an `AND` operator. So if the machine is in fact a
server, but the name starts with "`MLJ-VM`": well, `True AND False` is
False, so the GPO would not apply. The result on my server-OS VMs is
exactly what I want[^2]:

![Windows Start Menu - Without Shut Down Commands Available](/content/2019-10-25/without_shutdown_commands.png)

Of course, you could remove the second query to apply this policy to all
non-Client operating systems.

[^1]: This *can be* the apex of your domain.
[^2]: No I don't use Internet Explorer for real, are you high?
\ No newline at end of file

A content/2019-10-25/with_shutdown_commands.png => content/2019-10-25/with_shutdown_commands.png +0 -0

A content/2019-10-25/without_shutdown_commands.png => content/2019-10-25/without_shutdown_commands.png +0 -0