Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


disable shutdown button


disable shutdown button

Author
Message
leonvr
leonvr
Forum Newbie
Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)

Group: General Forum Members
Points: 2 Visits: 17
Hi all,

For BI I want read-only permissions on all sqlserver databases on a server. We will get this done. The problem is however that I have right to (accidentelly) shut down the server. Our DBA doesnot know how to disable that. In other words: when I am logged in on the server with databases I should not be able to push the 'Shutdown' button (after clicking the startbutton in Windows), but only the logoff-button. Does anyone know how we can do this???
steveb.
steveb.
Hall of Fame
Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)Hall of Fame (3.3K reputation)

Group: General Forum Members
Points: 3260 Visits: 7195
Whay are you connecting diretly to the server, rather than using SSMS from your client machine?
Ninja's_RGR'us
Ninja's_RGR'us
SSC-Insane
SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)

Group: General Forum Members
Points: 22843 Visits: 9671
Another point is "how dumb does the dba think you are"?

I mean if you are trusted with maintaining the system, the data and full access to the core of the business engine, then they must assume you can handle NOT SHUTTING it down.


Also it's a good point about SSMS, I rarely if ever need to RDP directly on the server itself, except to change permissions to some local users or stuff like that. It happens rarely to never.
kevriley
kevriley
SSCrazy
SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)

Group: General Forum Members
Points: 2811 Visits: 2606
You can do this by amending the Local Policy.

Obviously only do this if you are comfortable using the Policy Editor

Start - > Run - > gpedit.msc

navigate to User Configuration - Administrative Templates - Start Menu and Taskbar.

In here edit the setting 'Remove and prevent access to the Shut Down command' and set it to 'Enabled'.

This will also stop alt-F4 being used too.

You will still be able to issue the shutdown command via cmd




Kev
Schadenfreude-Mei
Schadenfreude-Mei
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1235 Visits: 1336
Dont really understand why your putting this popst in a SQL Admin forum?

What is your role, am gonna assume third line or applications support. That being the case, it frankly non of the dba's business. He's reponsible for database engine NOT global policy. Thats generally set out by the IT usage policy.

Adam Zacks

-------------------------------------------

Be Nice, Or Leave
Schadenfreude-Mei
Schadenfreude-Mei
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1235 Visits: 1336
And in response to kevriley, I think you likely get in hot water for making changes to Local Security as it would effect all none admin users of that server which may be undesirable.

Any changes such as this really should be made through and Active Directory GP or Global Policy. Most importantly, if this doesnt make sence DONT DO IT!

You could quite easily turn something on or off or lock certain people/pragrams out and find yourself in even deeper.... umm... trouble.

Adam Zacks

-------------------------------------------

Be Nice, Or Leave
GilaMonster
GilaMonster
SSC Guru
SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)

Group: General Forum Members
Points: 58027 Visits: 44709
leonvr (12/2/2008)
For BI I want read-only permissions on all sqlserver databases on a server. We will get this done. The problem is however that I have right to (accidentelly) shut down the server.


Someone who just needs read-only permission on some databases should not have remote access to the server at all. That should be reserved only for the admins.

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


kevriley
kevriley
SSCrazy
SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)

Group: General Forum Members
Points: 2811 Visits: 2606
Schadenfreude-Mei (12/2/2008)
And in response to kevriley, I think you likely get in hot water for making changes to Local Security as it would effect all none admin users of that server which may be undesirable.


Exactly - I don't want anyone to 'accidently' shutdown my server, admin or non-admin! BigGrin

The only person I trust is me. Even my SysAdmins won't touch the database servers without consulting me first - and that suits me fine. After all it's my neck on the line if the DB isn't there.......


Kev
Jerry Hung
Jerry Hung
SSC Eights!
SSC Eights! (966 reputation)SSC Eights! (966 reputation)SSC Eights! (966 reputation)SSC Eights! (966 reputation)SSC Eights! (966 reputation)SSC Eights! (966 reputation)SSC Eights! (966 reputation)SSC Eights! (966 reputation)

Group: General Forum Members
Points: 966 Visits: 1208
I use Remote Desktop quite often too, and in the back of my mind I have always feared 2 things
1. Hit Shutdown instead of Logoff (especially in Windows 2008, the Red button = Shutdown vs Windows 2003/2000)
2. Pick "Shut Down" instead of "Restart" if I want a Restart from the dropdown

I am not stupid, but everyone makes mistakes eventually .... Smile
I try to not Remote Desktop if I can, but R.D. makes sense over VPN or for long-running queries

SQLServerNewbie

MCITP: Database Administrator SQL Server 2005
EdVassie
EdVassie
Hall of Fame
Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)

Group: General Forum Members
Points: 3810 Visits: 3829
This really does need to be controlled by your Windows Admin people using a GPO. There are Windows rights for 'Sutdown a server' and 'Remote shutdown a server' that need to be restricted.

IMHO, a DBA should have both these rights, but the general user community definitely should not have the rights.

Also, it is definitely poor practice for anyone to directly log on to a DB server to do any T-SQL related work. All SQL access should be done from a client machine. You should only log on to a DB server (either at the console or via RDP, etc) during troubleshooting when nothing else can do the job you need.

Original author: SQL Server FineBuild 1-click install and best practice configuration of SQL Server 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005. 1 Dec 2016: now over 39,000 downloads.
Disclaimer: All information provided is a personal opinion that may not match reality.
Quote: "When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist." - Archbishop Hélder Câmara
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search