Udostępnij za pośrednictwem


The “shutdown without logon” policy behaves differently on Windows Server 2012

Here I just want to show a behavior difference between Windows Server 2008 R2 (or R2 SP1) and Windows Server 2012, and ask if you would prefer to retrieve a 2008 R2 behavior, or keep the new WS 2012 one.

The feature we want to achieve is:
-allow datacenter technician to reboot/shutdown a server without logging in, either in physical access or KVM access.
and
-prevent end-user to reboot/shutdown a server without logging in, from a RDP session.

We use the following local policy, set with gpedit.msc: “Shutdown: Allow system to be shut down without having to log on”, which is located at Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options
Local Group Policy Editor on WS 2008 R2

Let’s show images with RDP view of the logon console, with then without policy disabled – and then the similar KVM views:

Windows Server 2008 R2 Windows Server 2012
RDP with “shutdown without logon” disabled (default): similar on 2008 R2 and 2012
RDP on WS 2008 R2 - logon screen - GP not applied RDP on WS 2012 - logon screen - GP not applied
RDP with “shutdown without logon” enabled: hereunder is the problem: the shutdown button appears in RDP session on WS 2012 !!
RDP on WS 2008 R2 - logon screen - GP applied RDP on WS 2012 - logon screen - GP applied
KVM with “shutdown without logon” disabled (default): similar on 2008 R2 and 2012
KVM on WS 2008 R2 - logon screen - GP not applied KVM on WS 2012 - logon screen - GP not applied
KVM with “shutdown without logon” enabled: similar on 2008 R2 and 2012
KVM on WS 2008 R2 - logon screen - GP applied KVM on WS 2012 - logon screen - GP applied

>Comments?

PS credits to online for providing ad-hoc servers and KVMs, and OVH to report the issue first-hand.

Comments

  • Anonymous
    May 04, 2014
    THANKS for the comparison and this hugh hint !