Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

disable shutdown button Expand / Collapse
Author
Message
Posted Tuesday, December 2, 2008 4:48 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, July 2, 2013 1:58 AM
Points: 2, Visits: 17
Hi all,

For BI I want read-only permissions on all sqlserver databases on a server. We will get this done. The problem is however that I have right to (accidentelly) shut down the server. Our DBA doesnot know how to disable that. In other words: when I am logged in on the server with databases I should not be able to push the 'Shutdown' button (after clicking the startbutton in Windows), but only the logoff-button. Does anyone know how we can do this???
Post #611957
Posted Tuesday, December 2, 2008 4:53 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Friday, May 30, 2014 6:27 PM
Points: 2,808, Visits: 7,175
Whay are you connecting diretly to the server, rather than using SSMS from your client machine?
Post #611961
Posted Tuesday, December 2, 2008 5:05 AM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Today @ 11:14 AM
Points: 21,385, Visits: 9,603
Another point is "how dumb does the dba think you are"?

I mean if you are trusted with maintaining the system, the data and full access to the core of the business engine, then they must assume you can handle NOT SHUTTING it down.


Also it's a good point about SSMS, I rarely if ever need to RDP directly on the server itself, except to change permissions to some local users or stuff like that. It happens rarely to never.
Post #611965
Posted Tuesday, December 2, 2008 5:23 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Today @ 1:19 AM
Points: 2,684, Visits: 2,433
You can do this by amending the Local Policy.

Obviously only do this if you are comfortable using the Policy Editor

Start - > Run - > gpedit.msc

navigate to User Configuration - Administrative Templates - Start Menu and Taskbar.

In here edit the setting 'Remove and prevent access to the Shut Down command' and set it to 'Enabled'.

This will also stop alt-F4 being used too.

You will still be able to issue the shutdown command via cmd




Kev
Post #611977
Posted Tuesday, December 2, 2008 7:40 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Tuesday, March 4, 2014 10:03 AM
Points: 1,106, Visits: 1,334
Dont really understand why your putting this popst in a SQL Admin forum?

What is your role, am gonna assume third line or applications support. That being the case, it frankly non of the dba's business. He's reponsible for database engine NOT global policy. Thats generally set out by the IT usage policy.


Adam Zacks

-------------------------------------------

Be Nice, Or Leave
Post #612066
Posted Tuesday, December 2, 2008 7:45 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Tuesday, March 4, 2014 10:03 AM
Points: 1,106, Visits: 1,334
And in response to kevriley, I think you likely get in hot water for making changes to Local Security as it would effect all none admin users of that server which may be undesirable.

Any changes such as this really should be made through and Active Directory GP or Global Policy. Most importantly, if this doesnt make sence DONT DO IT!

You could quite easily turn something on or off or lock certain people/pragrams out and find yourself in even deeper.... umm... trouble.


Adam Zacks

-------------------------------------------

Be Nice, Or Leave
Post #612069
Posted Tuesday, December 2, 2008 7:54 AM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Today @ 11:54 AM
Points: 42,466, Visits: 35,530
leonvr (12/2/2008)
For BI I want read-only permissions on all sqlserver databases on a server. We will get this done. The problem is however that I have right to (accidentelly) shut down the server.


Someone who just needs read-only permission on some databases should not have remote access to the server at all. That should be reserved only for the admins.




Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #612075
Posted Tuesday, December 2, 2008 7:57 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Today @ 1:19 AM
Points: 2,684, Visits: 2,433
Schadenfreude-Mei (12/2/2008)
And in response to kevriley, I think you likely get in hot water for making changes to Local Security as it would effect all none admin users of that server which may be undesirable.


Exactly - I don't want anyone to 'accidently' shutdown my server, admin or non-admin! :D

The only person I trust is me. Even my SysAdmins won't touch the database servers without consulting me first - and that suits me fine. After all it's my neck on the line if the DB isn't there.......


Kev
Post #612082
Posted Tuesday, December 2, 2008 8:29 AM


Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Thursday, July 24, 2014 8:36 AM
Points: 772, Visits: 1,183
I use Remote Desktop quite often too, and in the back of my mind I have always feared 2 things
1. Hit Shutdown instead of Logoff (especially in Windows 2008, the Red button = Shutdown vs Windows 2003/2000)
2. Pick "Shut Down" instead of "Restart" if I want a Restart from the dropdown

I am not stupid, but everyone makes mistakes eventually .... :)
I try to not Remote Desktop if I can, but R.D. makes sense over VPN or for long-running queries


SQLServerNewbie

MCITP: Database Administrator SQL Server 2005
Post #612107
Posted Wednesday, December 3, 2008 4:03 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Today @ 9:52 AM
Points: 2,858, Visits: 3,184
This really does need to be controlled by your Windows Admin people using a GPO. There are Windows rights for 'Sutdown a server' and 'Remote shutdown a server' that need to be restricted.

IMHO, a DBA should have both these rights, but the general user community definitely should not have the rights.

Also, it is definitely poor practice for anyone to directly log on to a DB server to do any T-SQL related work. All SQL access should be done from a client machine. You should only log on to a DB server (either at the console or via RDP, etc) during troubleshooting when nothing else can do the job you need.


Original author: SQL Server FineBuild 1-click install and best practice configuration of SQL Server 2014, 2012, 2008 R2, 2008 and 2005. 28 July 2014: now over 30,000 downloads.
Disclaimer: All information provided is a personal opinion that may not match reality.
Concept: "Pizza Apartheid" - the discrimination that separates those who earn enough in one day to buy a pizza if they want one, from those who can not.
Post #612668
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse