Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Script to automatically shutdown and restart a Windows XP computer on Domain - Permission Denied

Posted on 2005-03-11
12
Medium Priority
?
752 Views
Last Modified: 2011-10-03
I have a .bat batch file of these commands to shut down a lab of computers and a second batch file to restart them. I use the following command:
shutdown -s -m \\computername -t 0

This works very well since I am under the group "Domain Admins" because I have full power over the domain. I have teachers responsible for each computer lab, and I would appreciate them using the scripts too so they can close up shop at the end of the day. They try to run the script and get "Access Denied / Permission Denied" errors. They are part of the "users" group and do not have permission to shutdown computers remotely. How can I make it so they can remotely shutdown/restart comptuers and not give them admin priviledges? Also, they must not have priviledges to installs apps, so power users may be out too.

I abdolutely do not want to schedule the computers shutdown because there is no pattern in shutdown times.

thx
0
Comment
Question by:atkfrg56
  • 5
  • 5
  • 2
12 Comments
 
LVL 4

Assisted Solution

by:tmack
tmack earned 800 total points
ID: 13520752
set up a local policy to allow them the remote shutdown privilege..
0
 
LVL 35

Accepted Solution

by:
Nirmal Sharma earned 1200 total points
ID: 13523308
>>>This works very well since I am under the group "Domain Admins"

I assume you are running Domain Controller and they are member of Domain Controller..so you need to configure this right in Default Domain Policy and you do not need to setup local policy...if you set local policy and set anything in Default Domain Policy the settings will be overridden by Default Domain Policy. So better you set this in Default Domain Policy.

1. Create a group called "ShutDownGroup"
2. Add all members to this Group.
3. Open Active Directory Users And Computers
4. Right click on domain_name.com > Property > Group Policy > Click "Default Domain Policy" > Edit > and then navigate to the following location: -

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignments\ and then edit the following policy :-

"Shutdown the system" > add the group you created "ShutDownGroup".

5. Now Close it and return to Group Policy Tab.
6. goto Security Tab of Group Policy and then set the following permissions: -

Remove the following group: -
Authenticated Users.

Add the following group: -
ShutDownGroup.

Set the following permissions for this group: -

Read and Apply Group Policy.

7. Finally click Apply and ok.
8. Now restart your all client computers.

Now try they can shutdown it.

Let me know.

Thanks
SystmProg
0
 
LVL 2

Author Comment

by:atkfrg56
ID: 13524160
tmack ,
could you be more specific please...there are lots of group polices I could use. Could you locate the 'remote shutdown policy' for me please, I am unable to find it.

SystmProg ,
I gave your idea a shot before I posted because I found it in the ee archive relating to another issue. I found that this setting didnt changes any settings with remote shutdowns...but it did change the shutdown permissions for the user logged onto the computer locally. A user not in the shutdown group, such as anyone not in the 'teachers' group I used instead of 'shutdowngroup' could only 'log out' of the computers when they clicked on shutdown instead of 'restart, hibernate, standby, shutdown'. This even applied to the local administrator which is a local account and not on the domain.
I am going to follow your directions specifically when I get back to the office for another try though, I could have messed stuff up along the way.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 35

Assisted Solution

by:Nirmal Sharma
Nirmal Sharma earned 1200 total points
ID: 13524389
Ok give it a try and let me know.

You can also look at another tool which will assist you in creating the batch script and its absloutely free: -
To get this tool, point your browser to this link http://www.beyondlogic.org/consulting/remoteprocess/BeyondExec.htm 

Another freeware proggy also: -
http://www.beyondlogic.org/solutions/shutdown/shutdown.htm

I think there is one more command line switch you are missing 'shutdown -s -f -m \\computer'.

Let me know.

Thanks
SystmProg
0
 
LVL 2

Author Comment

by:atkfrg56
ID: 13538206
Hmm, I gave it another shot and it appears to have no effect on remote scripts, only controls local machine. This is really strange, because I cant think of a logical way to get it done via windows 1st party applications.
0
 
LVL 35

Assisted Solution

by:Nirmal Sharma
Nirmal Sharma earned 1200 total points
ID: 13563379
Does the group policy thing work?
0
 
LVL 2

Author Comment

by:atkfrg56
ID: 13573978
Naw, cant get the group policy method to work. My last post was explaining it.
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13581903
Hi,
Sorry for late response....Did you solve the problem?
0
 
LVL 2

Author Comment

by:atkfrg56
ID: 13600211
SystmProg,
I still cant get it to work. I will give you the points for your efforts when this closes...doubt anyone will get the solution.
thx
0
 
LVL 4

Assisted Solution

by:tmack
tmack earned 800 total points
ID: 13627151
this would be under your "local security setting"'s for the PC  and then go to "local policies" then "user rights assignments" and then "force shutdown from a remote system" add your users to that and you should be good to go.

T
0
 
LVL 2

Author Comment

by:atkfrg56
ID: 13683891
tmack,
I cannot get that option to work either. Instead of 'Access Denied' I get "not privilidged to use this command".



I gave up on this, and we now have an .asp script that a user logs in and the user has buttons to run pre-defined scripts on the server. We can track who uses the scripts (an added feature) and only the users we want can run them. Works very nice, its all windows, and i have the power i need.

 Points will be split 200/300 for efforts. thx
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13686348
Thanks!
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Screencast - Getting to Know the Pipeline

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question