I tried one API for windows which is not doing exactly the same but it
just restrict the shutdown (i have a utility which is cancelling the
shutdown by asking user, You want shutdown or not ? yes/no like this)
, but it will restrict the restart too , so we can create the app
again using same API and ask it to check the command line parameter if
/restart then restart otherwise don't do any thing just cancel the
shutdown from shutdown button any utitly or from any other option.
But still anybody can shutdown by pulling the power cable from the PC
as said above.
On Fri, 29 Oct 2004 11:56:29 -0400, Beauford, Jason
<jbeauford (at) eightinonepet (dot) com [email concealed]> wrote:
> Not to sound critical, but it seem rather pointless. If the user wants
> to shutdown the computer, they can hit the button or pull the plug.
>
> Picture this scenario:
>
> You've done your research, you've implemented the work around. Now
> you're ready to deploy the latest and greatest patch/.dat
> file/what-have-you. You expect everyone to leave their PC's on so you
> can do your work afterhours.
>
> What you don't know is that "Joe" user had a problem with OUTLOOK
> crashing and decided that he would deal with it the next day. But he
> figures he'll reboot before he leaves. He hits the Reboot button,
> flicks off his monitor and is out the door, EXPECTING his PC to restart
> and be operational for tomorrows work day. But it doesn't. His OUTLOOK
> Crashing is the result of some virus which has now infected the OS
> beyond repair and the PC wont boot. Rendering your WORKAROUND and
> deployment useless for that particular unit.
>
> While this is made up, it can easily be imagined. Also, if this one PC
> was infected and on a LAN, who's to say that the others are not
> infected. If they are, those users may follow in "JOE"'s footsteps,
> reboot and leave. And those PC's may not restart.
>
> I am trying to demonstrate the flaw in the reasoning here.
>
> Rather than spending time with GPO's it might prove more beneficial to
> EDUCATE your end users. Explain to them exactly what you are trying to
> do and the proper procedures they must follow. Explain that their
> cooperation if vital to the security and integrity of the network. If
> you make the end users feel that what they are doing is important, then
> they feel important and that makes them feel good. That tends to lead
> to the desired behavior.
>
> Also..with regards to rebooting to resolve issues. On a WIN95/WIN98
> network sure, I can see this as a good solution, but in a Win2000/WinXP
> (it's been MY experience that) it should SPARSELY be the case that the
> user needs to reboot to resolve the issue. Most issues with these OS's
> can be resolved while the PC is on and operational.
> If they REBOOT the PC to resolve some issue, who's to say that will
> ACTUALLY start back up again. Maybe the HD is going, or the OS is
> corrupt/infected/whatever. If they are rebooting, then there is a
> problem. The problem should be addressed by methods other than
> rebooting. So after all of your research, even if you do find a GPO or
> some REG Tweak to disable SHUTDOWN and enable RESTART, you CANNOT
> guarantee that the PC will actually come up.
>
> My $.02
>
> - JMB
>
>
>
>
> -----Original Message-----
> From: Nathaniel Hall [mailto:halln (at) otc (dot) edu [email concealed]]
> Sent: Thursday, October 28, 2004 8:03 PM
> To: Houpt, Dani; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Re: Remove "Shutdown" command from w2k PCs but enable restart
>
> You could have the systems wake up using Wake On LAN this is built into
> most new systems (except laptops). There are many batch files that can
> do this with a program called wol.exe.
>
> Nathaniel Hall, GSEC
> Intrusion Detection and Firewall Technician
> Ozarks Technical Community College -- Office of Computer Networking
>
> halln (at) otc (dot) edu [email concealed]
> 417-799-0552
>
> Houpt, Dani wrote:
>
> >We have a Windows 2000 AD environment and want to restrict our PC users
> >from shutting off their PCs so we can send out OS/AV patches at night.
>
> >We created a GPO to do this but it also blocks them from restarting.
> >
> >Many times, issues on PCs are resolved even before the users call the
> >helpdesk by rebooting, so we don't want to remove that ability from
> >them.
> >
> >Does anyone know a way that we can remove "Shutdown" while still allow
> >"Restart"?
> >
> >I opened a case with MS about this and the rep said that he didn't
> >think that it could be done.
> >
> >Thanks,
> >-Dani
> >INDEPENDENCE COMMUNITY BANK CONFIDENTIALITY NOTICE: This message
> >(and any attachment) is confidential and
> >intended for the sole use of the individual or entity to which it is
> addressed. If you are
> >not the intended recipient, you must not review, retransmit, convert to
> hard-copy,
> >copy, use or disseminate this email or any of its attachments. If you
> received this email
> >in error, please notify the sender immediately and delete it. This
> notice is automatically
> >appended to all Internet email.
> >
> >
> >-----------------------------------------------------------------------
just restrict the shutdown (i have a utility which is cancelling the
shutdown by asking user, You want shutdown or not ? yes/no like this)
, but it will restrict the restart too , so we can create the app
again using same API and ask it to check the command line parameter if
/restart then restart otherwise don't do any thing just cancel the
shutdown from shutdown button any utitly or from any other option.
But still anybody can shutdown by pulling the power cable from the PC
as said above.
On Fri, 29 Oct 2004 11:56:29 -0400, Beauford, Jason
<jbeauford (at) eightinonepet (dot) com [email concealed]> wrote:
> Not to sound critical, but it seem rather pointless. If the user wants
> to shutdown the computer, they can hit the button or pull the plug.
>
> Picture this scenario:
>
> You've done your research, you've implemented the work around. Now
> you're ready to deploy the latest and greatest patch/.dat
> file/what-have-you. You expect everyone to leave their PC's on so you
> can do your work afterhours.
>
> What you don't know is that "Joe" user had a problem with OUTLOOK
> crashing and decided that he would deal with it the next day. But he
> figures he'll reboot before he leaves. He hits the Reboot button,
> flicks off his monitor and is out the door, EXPECTING his PC to restart
> and be operational for tomorrows work day. But it doesn't. His OUTLOOK
> Crashing is the result of some virus which has now infected the OS
> beyond repair and the PC wont boot. Rendering your WORKAROUND and
> deployment useless for that particular unit.
>
> While this is made up, it can easily be imagined. Also, if this one PC
> was infected and on a LAN, who's to say that the others are not
> infected. If they are, those users may follow in "JOE"'s footsteps,
> reboot and leave. And those PC's may not restart.
>
> I am trying to demonstrate the flaw in the reasoning here.
>
> Rather than spending time with GPO's it might prove more beneficial to
> EDUCATE your end users. Explain to them exactly what you are trying to
> do and the proper procedures they must follow. Explain that their
> cooperation if vital to the security and integrity of the network. If
> you make the end users feel that what they are doing is important, then
> they feel important and that makes them feel good. That tends to lead
> to the desired behavior.
>
> Also..with regards to rebooting to resolve issues. On a WIN95/WIN98
> network sure, I can see this as a good solution, but in a Win2000/WinXP
> (it's been MY experience that) it should SPARSELY be the case that the
> user needs to reboot to resolve the issue. Most issues with these OS's
> can be resolved while the PC is on and operational.
> If they REBOOT the PC to resolve some issue, who's to say that will
> ACTUALLY start back up again. Maybe the HD is going, or the OS is
> corrupt/infected/whatever. If they are rebooting, then there is a
> problem. The problem should be addressed by methods other than
> rebooting. So after all of your research, even if you do find a GPO or
> some REG Tweak to disable SHUTDOWN and enable RESTART, you CANNOT
> guarantee that the PC will actually come up.
>
> My $.02
>
> - JMB
>
>
>
>
> -----Original Message-----
> From: Nathaniel Hall [mailto:halln (at) otc (dot) edu [email concealed]]
> Sent: Thursday, October 28, 2004 8:03 PM
> To: Houpt, Dani; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Re: Remove "Shutdown" command from w2k PCs but enable restart
>
> You could have the systems wake up using Wake On LAN this is built into
> most new systems (except laptops). There are many batch files that can
> do this with a program called wol.exe.
>
> Nathaniel Hall, GSEC
> Intrusion Detection and Firewall Technician
> Ozarks Technical Community College -- Office of Computer Networking
>
> halln (at) otc (dot) edu [email concealed]
> 417-799-0552
>
> Houpt, Dani wrote:
>
> >We have a Windows 2000 AD environment and want to restrict our PC users
> >from shutting off their PCs so we can send out OS/AV patches at night.
>
> >We created a GPO to do this but it also blocks them from restarting.
> >
> >Many times, issues on PCs are resolved even before the users call the
> >helpdesk by rebooting, so we don't want to remove that ability from
> >them.
> >
> >Does anyone know a way that we can remove "Shutdown" while still allow
> >"Restart"?
> >
> >I opened a case with MS about this and the rep said that he didn't
> >think that it could be done.
> >
> >Thanks,
> >-Dani
> >INDEPENDENCE COMMUNITY BANK CONFIDENTIALITY NOTICE: This message
> >(and any attachment) is confidential and
> >intended for the sole use of the individual or entity to which it is
> addressed. If you are
> >not the intended recipient, you must not review, retransmit, convert to
> hard-copy,
> >copy, use or disseminate this email or any of its attachments. If you
> received this email
> >in error, please notify the sender immediately and delete it. This
> notice is automatically
> >appended to all Internet email.
> >
> >
> >-----------------------------------------------------------------------
> >----
> >-----------------------------------------------------------------------
> ----
> >
> >
> >
>
> ------------------------------------------------------------------------
> ---
> ------------------------------------------------------------------------
> ---
>
>
> ------------------------------------------------------------------------
---
> ------------------------------------------------------------------------
---
>
>
--
God is a great Programmer
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]