[Bad boy Warrior]

I want to have 1 user who can only shutdown/ restart the server when required and NOTHING ELSE (not even run programs on the server. Any of you guys have ideas on what woud be the best approach on doing this or what type of user should i create?

thx

[valter]

any user, just assign him right for this through gpo

[Bad boy Warrior]

i did that but everytime ths user tries to access the server through RDP - it says it cant due to eprmissions. I dont want to assign admin righst as this would defeat the point.

thx

[jamesas]

you will have to assign the right for him to use rdp and be able to login and you also might want to apply a few gpos to block him from accessing any harddrives and so forth

[Bad boy Warrior]

i right clicked mstsc.exe and added the user that can shutdown the system but i had the exact same error? what did i do wrong?

thx

[Br4tt3]

do u get the error of:

"u r not allowed to logon interactively" (or something like that?) when u try to logon using rdp? in that case it is a matter of permission...

if you dont want the guy to logon to a server for example just to shut down the server.... add a service account that can do it for ya and then try to run within that security context from within a script for example.

vbscript would it for u, where u could hide the pwd and user that u r trying to connect with using crypto (.vbe) and distribute the script to the user or run it remotely... or place in scheduler maby, what do I know...

Hmm... something like this maby...

CODE <Begin> :

'*******************************************************************
' Purpose: Script for restarting a server (not DC)
' Author: Br4tt3
' Date: 2004-09-22
' Company: XXXXXXXXXXXXXXXXXXX
' Version: 0.1
'
' Requirement: Obtain RunAsPwd.exe (freeware) and place in system32.
' Also create an account with appropiate permission in correct
' OU structure. Must be run locally on machine. Remote exec
' not supported.
'*******************************************************************

Option Explicit

Const DomainAccount="ShutdwnAdmin@company.com"
Const DomainPassword="ShutdwnAdminpwd"

'*****************************************
' Adding User "ShutdwnAdmin" from AD to
' local Administrator group of computer.
'*****************************************

Dim objInfo, objGroup, objUser, strComputer

Set objInfo = CreateObject("ADSystemInfo")

strComputer = "."
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
Set objUser = GetObject("WinNT://" & objInfo.DomainShortName & "/ShutdwnAdmin,user")
objGroup.Add(objUser.ADsPath)

'***************************************************************
' Mark: Using RunAsPwd to run the .exe in another security context
' than logged on user. Obtain the .exe from inet as it is
' freeware.
'***************************************************************

Dim WshShell, objSys, WshNetwork, Command

Set WshShell = WScript.CreateObject("WScript.Shell")
Set objSys = CreateObject("ADSystemInfo")
Set WshNetwork = WScript.CreateObject("WScript.Network")

Command = "%WINDIR%\system32\runaspwd.exe -u:" & DomainAccount & " -p:" & DomainPassword & " -e:" & "%WINDIR%\system32\shutdown.exe -r"
WshShell.Run Command, 0, True

'***************************************
' Remove Global Account "ShutdwnAdmin"
' from local Administrators group
'***************************************

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
Set objUser = GetObject("WinNT://" & objInfo.DomainShortName & "/ShutdwnAdmin,user")
objGroup.Remove(objUser.ADsPath)



Tried it once here, atleast the machine rebooted... hopes this can solve it for u..

[un4given1]

Just run this from a command prompt...

shutdown -i

It will give you a GUI shutdown program. Input the computer name to shutdown and there you go.