Who can shutdown your servers?
Have you accidentally shut down a server or your own workstation? While you meant to just reboot, that device is now shutting down. It is even worse if it was a physical machine – at a remote location.
Not that I’m speaking from personal experience or anything…
Your task today is to prevent accidental shutdowns for your important machines. Let’s control who can shut down the system, using Group Policy1.
Often, every user that can log on interactively to a server also has permission to shut that server down. Open gpedit.msc on a server and browse to Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. If you have any shared client machines (such as a jump machine/management VM), you will see Users listed. On a server OS, you won’t see Users listed by default. But ask yourself, do you really trust all of your administrators not to hit the wrong button? 🙂
Don’t edit the local computer policy. First, decide what accounts should have access to shut down2 a server. I limit this to the domain admin account, elevated admin accounts, and a few service accounts. Add these users to a security group named something like Security – URA – Shut down the system
Next, make your changes in the Group Policy Management Console. There are two common approaches to take. Either:
- Create a new GPO named something like Security – URA – Shut down the system ; edit the setting pictured above, and link it to your servers / domain controllers OU.
- Edit an existing general server GPO to restrict the shutdown permissions. If you do this route, make sure any server OUs with blocked inheritance and your domain controller OU is included.
Either way, be sure to comment why these changes were made, who made them, and when they were made. That is all that you need to do! With accidental shutdowns stopped, you won’t have to make the drive of shame to turn on that remote server.3