How to shutdown domain users client computers with Group Policy

There are some organizations that require you to shutdown the computer at the end of business. Now what happens if that user would shutdown a system that is needed. Well lucky for us we can create a Group Policy Object (GPO) to do this. We are going to add a policy that only allows the management staff to power-off production computers.

  1. Log on to the Windows Server 2012 Active Directory domain controller with the Enterprise Admin or Domain Admin account.
  2. If not already started, initialize the Server Manager window from the bottom left corner of the screen.
  3. On the opened Server Managerwindow, go to the Tools menu from the menu bar.
  4. From the displayed list, click Group Policy Management.
  5. On the opened Group Policy Managementconsole, from the left pane, expandForest > Domains, and then expand the domain name. (MYDOMAIN.COM for this demonstration.).
  6. From the expanded list, right-click the domain name or the target OU, users of which you want to keep from shutting down the domain client computers on their own.
  7. From the displayed context menu, click the Create a GPO in this domain, and Link it here
  8. On the opened New GPObox, specify a self-explanatory name for the GPO in theName
  9. From the Source Starter GPOdrop-down list, choose a starter GPO of your choice if you have created any.
  10. Once done, click OKto create and link the new GPO to the target domain or OU.
  11. Once this is done, right-click the newly created GPO.
  12. From the displayed context menu, click Edit.
  13. On the opened Group Policy Object Editorsnap-in, from the left pane, under the Computer Configuration, locate and select PoliciesWindows Settings >Security Settings > Local Policies > User Rights Assignment.
  14. Once selected, from the right pane, double-click the Shut down the system
  15. On the opened Shut down the system Properties box, check Define these policy settings
  16. Click the enabled Add User or Group button and add the domain users or groups that you want to allow to shut down the client computers. (Domain Admins and Enterprise Admins for this demonstration.).Note:Only the users and groups added in this list will be able to shut down the system. All other users and groups will be automatically disallowed to shut the domain client computers down as soon as the policy becomes applicable.
  17. Back on the Shut down the system Properties box, click OK.
  18. Close the Group Policy Object Editorsnap-in.
  19. Press the Windowskeys simultaneously to initialize the Run command box.
  20. In the available field in the Run command box, type the GPUPDATE /FORCE command and press Enter key in order to update the group policy settings.

How to disable USB devices using Group Policy

Everyone owns one or more USB devices. USB connections are typically used to plug devices such as mice, keyboards, scanners, mobile phones, external hard drives, printers, and more into your computer. When you connect a device to your computer it automatically identifies the device and installs the driver for it. USB devices are portable and have a very high security threat. Some organizations do not allow USB devices for this reason. Here is the steps to do that for your organization using group policy.

We will be starting with the Windows Server 2012 R2 domain controller and a client that is running Windows 7 Professional. The group policy to disable USB devices will be created on the domain controller, and then will be applied to the OU containing the users computer.

1. Launch the Group Policy Management tool on the domain controller.


2. Right click Group Policy Objects and click New.

a.  Name the group policy as Block USB Devices, and click OK


3. Right click on the new policy and click Edit.3

4. Group Policy Management Editor window appears, Navigate to Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access.4

5. Now on the right pane you will see a list of Removable Storage Access devices. We will be disabling all of them. Find the All Removable Storage classes: Deny all access, right click on it, and click Edit.5

6. If you enable this policy it will block access to any removable storage device that may get connected to the computer. Click Enabled, always leave a note for the next person, and click OK when done.6


Now we have created the policy to deny access to the USB devices. The next step is to link the GPO to the OU. For this I created an OU called Block USB Devices.

7. Once you have closed the Group Policy Management Editor it will bring you back to the Group Policy Management. Here you will want to pick the OU with the computers that you want to have the USB disabled. Right click on the OU and click Link an Existing GPO.7

8. Select GPO will appear, from the list of GPO’s select the policy Block USB Devices, and click OK.8

9. You can manually go to each computer and type gpupdate /force or you can wait 90 min for the system to automatically do it. The automatically could take up to 45 days, but this allows you to warn the clients before hand.

10. Once the GPO has been updated you can test to see if everything worked by connecting a USB device into the computer. If you receive a message like this. You have successfully created a policy to disable USB devices. 9